[Virtio-fs] regression: lsetfilecon fails, breaks rpm, dpkg, dnf in virtiofs guests.

Harry G. Coin hgcoin at gmail.com
Thu Jun 3 17:58:37 UTC 2021 

On 6/1/21 8:02 AM, Vivek Goyal wrote:
> On Sat, May 29, 2021 at 01:42:50PM -0500, Harry G. Coin wrote:
>> Some regression in virtio-fs has led to rpm/dnf/yum failing  in the same
>> guest it previously worked.
>>
>> linux 5.11.19-300.fc34.x86_64
>>
>> Specifically, all attempts to use dnf/yum lead to examples similar to this:
>>
>> Error unpacking rpm package dnf-4.7.0-1.fc34.noarch
>>   Upgrading        :
>> python3-dnf-plugins-core-4.0.21-1.fc34.noarch                                                                                                                                                     
>> 8/20
>> error: unpacking of archive failed on file /usr/bin/dnf;60b1b277: cpio:
>> (error 0x2)
>> error: dnf-4.7.0-1.fc34.noarch: install failed
>> error: lsetfilecon: (/etc/dnf/plugins/copr.conf,
>> system_u:object_r:etc_t:s0) Operation not permitted
>> error: Plugin selinux: hook fsm_file_prepare failed
> CCing Dan Walsh and Ondrej. They might have an idea.
>
> Thanks
> Vivek
>
>> (
>>
>> For all packages.  No updates are possible.  Possibly related to:
>> https://github.com/fedora-selinux/selinux-policy/pull/478/files/21a2df26cd605c55de7edc80e16907fcb76ccf08 
>> ?  What really gets me, is this error exists even though
>>
>> # getenforce
>> Permissive
>>
>> )
>>
>> The host is running btrfs.  ... virtiofsd --fd=50 -o
>> source=/vmsystems/fedora_generic,xattr,flock,posix_lock
>>
>> same effect with  .... virtiofsd --fd=36 -o
>> source=/vmsystems/dbl1,xattr,flock,no_posix_lock
>>
>> /etc/fstab:
>>
>> myfs / virtiofs seclabel 0 0



Here's a reproducer:

[root at registry1 ~]# getenforce

Permissive
[root at registry1 ~]# cat lsetfilecon.c
#include <selinux/selinux.h>
#include <stdio.h>
#include <errno.h>
 void perror(const char *s);

int main(int argc,char *argv[]){
  int i;
  i= lsetfilecon("/usr/bin/rngtest","system_u:object_r:bin_t:s0");
  //i=
lsetfilecon("/usr/bin/rngtest;60b9120b","system_u:object_r:bin_t:s0");
  printf("ret %lx\n",i);
  perror("\n");
  return 0;
}

[root at registry1 ~]# gcc lsetfilecon.c -lselinux -o lsetfilecon
[root at registry1 ~]# ./lsetfilecon
ret ffffffff

: Operation not permitted
[root at registry1 ~]# ls -l /usr/bin/rngtest
-rwxr-xr-x. 1 root root 21176 Apr 27 18:26 /usr/bin/rngtest

[root at registry1 ~]# uname -a
Linux registry1.xxxx 5.11.19-300.fc34.x86_64 #1 SMP Fri May 7 14:17:15
UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

On the host:


root at noc1:/vmsystems/registry1/usr/bin# getfattr -m - -d rngtest
# file: rngtest
security.selinux="system_u:object_r:bin_t:s0"

ls -l rngtest
-rwxr-xr-x. 1 root root 21176 Apr 27 18:26 rngtest

More information about the Virtio-fs mailing list