[Virtio-fs] restorcon/SELinux virtiofs question

Vivek Goyal vgoyal at redhat.com
Thu Nov 19 18:38:41 UTC 2020 

On Thu, Nov 19, 2020 at 12:27:20PM -0600, Harry G. Coin wrote:
> 
> On 11/19/20 12:16 PM, Vivek Goyal wrote:
> > On Thu, Nov 19, 2020 at 10:52:51AM -0600, Harry G. Coin wrote:
> >> Hello virtiofs team.  I need clarification about a 'restorecon' selinux
> >> guest giving an 'operation not supported' response.
> >>
> >> If the host fs is btrfs (with xattr enabled in virtiofsd) but not
> >> running SELinux,
> > I suspect that on host setxattr(security.selinux) is failing with 
> > "operation not supported". 
> >
> > What do you mean by host "not running SELinux". SElinux is not compiled
> > in? Or it is disabled or in passive mode?
> >
> > Is it working with filesystems other than btrfs, say ext4 or xfs.
> >
> > Now qemu supports xattr remapping. You might want to run virtiofsd
> > to remap security.selinux. I think that might get you going till
> > the root cause of the issue is found.
> >
> > Vivek
> 
> Thank you for the focus.   The host os in this instance is not from the
> fedora/rhel/centos world with selinux running.  My case is a debian
> sourced distro (ubuntu).  That world uses 'apparmor' by default, not
> selinux.   I think it's reasonable to suppose there are a lot of servers
> out there not running selinux that have lots of vms running on them, not
> all using virtiofs.  There should be a documented way to allow the
> 'restorcon' command on one of many guests on such hosts to work.  I
> suppose to wrap this up:
> 
> For the future readers who got here by searching,  could you give the
> first kernel version that supports a non-selinux host supporting an
> selinux enabled guest and the virtiofsd command line necessary to get
> the restorecon command to work normally?

I don't know yet. Because I don't know what's the root cause of the
issue.

The way you are explaining it, looks like host kernel somehow is
blocking setxattr(security.selinux). And I have no idea why. Is it
apparmor or something else.

If no selinux module is loaded on host, then as long as virtiofsd
process has CAP_SYS_ADMIN, it should be able to set security.selinux.

"Operation not supported" means error "EOPNOTSUP". I am assuming
you are running virtiofsd with "-o xattr" to make sure virtiofsd
supports xattr. If that's the case somehow kernel is returning
"EOPNOTSUP".

Can you run virtiofsd with debug option -d and try to install that
package in guest and capture outout of virtiofsd and post here. It
might confirm that host kernel is returning error.

Thanks
Vivek

> 
> Thanks in advance!!  (And thanks for the work -- can't wait for dax to
> make it into standard kernels!!)
> 
> Harry Coin
> 
> 
> 
> 
> >
> >> and the guest has virtiofs root with selinux active,
> >> what version [if any] for virtiofs is necessary before I can expect the
> >> restorecon command to operate properly?  (Or, maybe I've missed a config
> >> setting somewhere?) 
> >>
> >> Packages such as freeipa fail to install because they issue dozens of
> >> 'restorecon' calls which fail using virtiofs.
> >>
> >> Thanks,
> >>
> >> Harry Coin
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Virtio-fs mailing list
> >> Virtio-fs at redhat.com
> >> https://www.redhat.com/mailman/listinfo/virtio-fs
>

More information about the Virtio-fs mailing list