Re: [Virtio-fs] virtiofs mounted filesystems & SELinux
* Link Dupont (link(a)sub-pop.net) wrote:
Adding the <binary xattr='on'> element to the
<filesystem> device does seem
to spawn virtiofsd with the option string "source=/home,xattr". My guest can
no longer mount the device though.
It errors with:
[ 170.225553] 9pnet_virtio: no channels available
mount: mount(2) failed: No such file or directory
I think what this is doing is causing libvirt to create the device as a
virtiofs device instead of a 9p device. The EL7 kernel doesn't have a
virtiofs driver, so it can't mount virtiofs devices.
My knowledge is unfortunately limited about the nuances between 9p and
virtiofs. So I'm mostly experimenting by trial-and-error here.
They're almost entirely different implementations; if you have a
virtiofsd then you're running virtiofs, not 9p, and yes RHEL7 won't like
that.
(I'm not sure el7 had 9p either??)
Dave
On Wed, Jun 2 2021 at 03:55:40 PM -0500, Connor Kuehl
<ckuehl(a)redhat.com>
wrote:
> On 5/21/21 11:59 AM, Link Dupont wrote:
>
> Adding the virtio-fs mailing list.
>
> > I am mounting a filesystem into a domain using the virtiofs driver.
> >
> > <filesystem accessmode="passthrough" type="mount">
> > <source dir="/home"/>
> > <target dir="/home"/>
> > <driver type="virtiofs"/>
> > </filesystem>
> >
> > Both my host (Fedora 34) and guest (CentOS 8.4) are running with
> > SELinux
> > enforcing. From my host, I can see that the SELinux context type is
> > set to
> > user_home_dir_t.
> >
> > $ ls -ldZ /home/link
> > drwxr-xr-x. 61 link link system_u:object_r:user_home_dir_t:s0 8192
> > May 21
> > 12:41 /home/link
> >
> > > From within the guest however, the volume is unlabeled_t
> >
> > $ ls -lZd /home/link
> > drwxr-xr-x. 61 link link system_u:object_r:unlabeled_t:s0 8192 May
> > 21 12:53 /
> > home/link
> >
> > Is there a way to pass the SELinux context through to the guest? Or
> > mount the
> > volume with the correct options to map SELinux contexts?
> >
> >
>
> Hi,
>
> I'm afraid I actually don't know that much about SELinux but I read
> that it relies on using extended attributes in the file system to
> accomplish its labeling.
>
> Do you still experience this issue when you enable extended attribute
> support[1] in virtiofsd? The example in the optional parameters snippet
> enables extended attributes with the xattr='on' element.
>
> Connor
>
> [1] https://libvirt.org/kbase/virtiofs.html#optional-parameters
>
_______________________________________________
Virtio-fs mailing list
Virtio-fs(a)redhat.com
https://listman.redhat.com/mailman/listinfo/virtio-fs
--
Dr. David Alan Gilbert / dgilbert(a)redhat.com / Manchester, UK