virtiofs mounted filesystems & SELinux

Link Dupont link at sub-pop.net
Thu Jun 3 18:48:09 UTC 2021 

Adding the <binary xattr='on'> element to the <filesystem> device does 
seem to spawn virtiofsd with the option string "source=/home,xattr". My 
guest can no longer mount the device though.

It errors with:

[ 170.225553] 9pnet_virtio: no channels available
mount: mount(2) failed: No such file or directory

I think what this is doing is causing libvirt to create the device as a 
virtiofs device instead of a 9p device. The EL7 kernel doesn't have a 
virtiofs driver, so it can't mount virtiofs devices.

My knowledge is unfortunately limited about the nuances between 9p and 
virtiofs. So I'm mostly experimenting by trial-and-error here.

On Wed, Jun 2 2021 at 03:55:40 PM -0500, Connor Kuehl 
<ckuehl at redhat.com> wrote:
> On 5/21/21 11:59 AM, Link Dupont wrote:
> 
> Adding the virtio-fs mailing list.
> 
>>  I am mounting a filesystem into a domain using the virtiofs driver.
>> 
>>  <filesystem accessmode="passthrough" type="mount">
>>        <source dir="/home"/>
>>        <target dir="/home"/>
>>        <driver type="virtiofs"/>
>>  </filesystem>
>> 
>>  Both my host (Fedora 34) and guest (CentOS 8.4) are running with 
>> SELinux
>>  enforcing. From my host, I can see that the SELinux context type is 
>> set to
>>  user_home_dir_t.
>> 
>>  $ ls -ldZ /home/link
>>  drwxr-xr-x. 61 link link system_u:object_r:user_home_dir_t:s0 8192 
>> May 21
>>  12:41 /home/link
>> 
>>> From within the guest however, the volume is unlabeled_t
>> 
>>  $ ls -lZd /home/link
>>  drwxr-xr-x. 61 link link system_u:object_r:unlabeled_t:s0 8192 May 
>> 21 12:53 /
>>  home/link
>> 
>>  Is there a way to pass the SELinux context through to the guest? Or 
>> mount the
>>  volume with the correct options to map SELinux contexts?
>> 
>> 
> 
> Hi,
> 
> I'm afraid I actually don't know that much about SELinux but I read
> that it relies on using extended attributes in the file system to
> accomplish its labeling.
> 
> Do you still experience this issue when you enable extended attribute
> support[1] in virtiofsd? The example in the optional parameters 
> snippet
> enables extended attributes with the xattr='on' element.
> 
> Connor
> 
> [1] https://libvirt.org/kbase/virtiofs.html#optional-parameters
>

More information about the libvirt-users mailing list