[Virtio-fs] SELinux support in virtio-fs
Daniel Walsh
dwalsh at redhat.com
Wed Feb 12 15:29:06 UTC 2020
On 2/10/20 11:06 AM, Stefan Hajnoczi wrote:
> Hi Dan,
> I've CCed the public virtio-fs mailing list because SELinux support in
> virtio-fs has been asked about recently.
>
> It's time to figure out what level of SELinux support will be available
> in virtio-fs. The file system client shares most of its code with FUSE
> and SELinux labels on files are currently not supported in FUSE.
>
> It would be possible to pass through extended attributes to the
> virtiofsd daemon running on the host. However, passing through xattrs
> allows the client to relabel files on the host file system and this
> could pose a security problem. virtiofsd already allows the client to
> set the uid/gid and permissions, but is passing through SELinux xattrs a
> bad idea?
>
> virtiofsd is in a position to mangle extended attribute names
> ("security.selinux" -> "virtiofs.security.selinux") in order to separate
> guest SELinux labels from host SELinux labels.
>
> As someone who knows very little about SELinux I'm eager to hear what
> you think would be a good approach. Secure containers (e.g. Kata
> Containers) are an important use case but virtio-fs can also be used as
> the root file system for a guest (a scenario where full SELinux support
> is needed).
>
> Thanks,
> Stefan
I am traveling right now. We should add in the SELinux team, and I will
be able to look at this on Friday.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/virtio-fs/attachments/20200212/d729f141/attachment.sig>
More information about the Virtio-fs
mailing list