[Virtio-fs] restorcon/SELinux virtiofs question

Harry G. Coin hgcoin at gmail.com
Thu Nov 19 18:27:20 UTC 2020 

On 11/19/20 12:16 PM, Vivek Goyal wrote:
> On Thu, Nov 19, 2020 at 10:52:51AM -0600, Harry G. Coin wrote:
>> Hello virtiofs team.  I need clarification about a 'restorecon' selinux
>> guest giving an 'operation not supported' response.
>>
>> If the host fs is btrfs (with xattr enabled in virtiofsd) but not
>> running SELinux,
> I suspect that on host setxattr(security.selinux) is failing with 
> "operation not supported". 
>
> What do you mean by host "not running SELinux". SElinux is not compiled
> in? Or it is disabled or in passive mode?
>
> Is it working with filesystems other than btrfs, say ext4 or xfs.
>
> Now qemu supports xattr remapping. You might want to run virtiofsd
> to remap security.selinux. I think that might get you going till
> the root cause of the issue is found.
>
> Vivek

Thank you for the focus.   The host os in this instance is not from the
fedora/rhel/centos world with selinux running.  My case is a debian
sourced distro (ubuntu).  That world uses 'apparmor' by default, not
selinux.   I think it's reasonable to suppose there are a lot of servers
out there not running selinux that have lots of vms running on them, not
all using virtiofs.  There should be a documented way to allow the
'restorcon' command on one of many guests on such hosts to work.  I
suppose to wrap this up:

For the future readers who got here by searching,  could you give the
first kernel version that supports a non-selinux host supporting an
selinux enabled guest and the virtiofsd command line necessary to get
the restorecon command to work normally?

Thanks in advance!!  (And thanks for the work -- can't wait for dax to
make it into standard kernels!!)

Harry Coin




>
>> and the guest has virtiofs root with selinux active,
>> what version [if any] for virtiofs is necessary before I can expect the
>> restorecon command to operate properly?  (Or, maybe I've missed a config
>> setting somewhere?) 
>>
>> Packages such as freeipa fail to install because they issue dozens of
>> 'restorecon' calls which fail using virtiofs.
>>
>> Thanks,
>>
>> Harry Coin
>>
>>
>>
>>
>> _______________________________________________
>> Virtio-fs mailing list
>> Virtio-fs at redhat.com
>> https://www.redhat.com/mailman/listinfo/virtio-fs

More information about the Virtio-fs mailing list