[Virtio-fs] virtiofs mounted filesystems & SELinux
Link Dupont
link at sub-pop.net
Fri Jun 4 02:14:24 UTC 2021
On Thu, Jun 3 2021 at 08:56:46 PM -0400, Link Dupont <link at sub-pop.net>
wrote:
> reproducible scenarios
Alright. I reran my tests with a CentOS 8 guest. On CentOS 8 (with a
virtiofs filesystem and with xattr on), the type of files in the
mounted hierarchy are unlabeled_t. I can work around that by switching
SELinux in the guest to permissive or disabled.
With a CentOS 7 guest, things get less usable. I digested this to a
reproducible scenario.
Build a disk image with `virt-builder`, configuring the CentOS Plus
kernel to get 9p support.
virt-builder centos-7.8 \
--root-password password:centos \
--output centos-7.8.qcow2 \
--install yum-utils \
--run-command 'yum-config-manager --enable centosplus' \
--run-command 'sed -ie
"s/DEFAULTKERNEL=kernel/DEFAULTKERNEL=kernel-plus/"
/etc/sysconfig/kernel' \
--append-line
'/etc/dracut.conf.d/virtio.conf:add_drivers+="virtio_scsi virtio_pci
virtio_console"' \
--append-line '/etc/modules-load.d/9pnet_virtio.conf:9pnet_virtio' \
--install kernel-plus \
--append-line '/etc/fstab:home /home 9p trans=virtio,version=9p2000.L
0 0'
Install the volume into the `default` pool.
sudo install -m644 centos-7.8.qcow2 /var/lib/libvirt/images
Next, define a domain using the disk image (using `virt-install` here
for "easy mode").
virt-install \
--import \
--os-variant centos7.0 \
--name centos \
--ram 2048 \
--disk path=/var/lib/libvirt/images/centos-7.8.qcow2 \
--memorybacking access.mode=shared \
--filesystem source=/home,target=home,accessmode=passthrough \
--autoconsole none
Now with SELinux enforcing, I cannot list the contents of the
directories in the mounted hierarchy.
[root at localhost ~]# ls -lZ /home/link
ls: cannot open directory /home/link: Permission denied
More information about the libvirt-users
mailing list