Adding the <binary xattr='on'> element to the <filesystem> device does seem to spawn virtiofsd with the option string "source=/home,xattr". My guest can no longer mount the device though. It errors with: [ 170.225553] 9pnet_virtio: no channels available mount: mount(2) failed: No such file or directory I think what this is doing is causing libvirt to create the device as a virtiofs device instead of a 9p device. The EL7 kernel doesn't have a virtiofs driver, so it can't mount virtiofs devices. My knowledge is unfortunately limited about the nuances between 9p and virtiofs. So I'm mostly experimenting by trial-and-error here. On Wed, Jun 2 2021 at 03:55:40 PM -0500, Connor Kuehl <ckuehl at redhat.com> wrote:> On 5/21/21 11:59 AM, Link Dupont wrote: > > Adding the virtio-fs mailing list. > >> I am mounting a filesystem into a domain using the virtiofs driver. >> >> <filesystem accessmode="passthrough" type="mount"> >> <source dir="/home"/> >> <target dir="/home"/> >> <driver type="virtiofs"/> >> </filesystem> >> >> Both my host (Fedora 34) and guest (CentOS 8.4) are running with >> SELinux >> enforcing. From my host, I can see that the SELinux context type is >> set to >> user_home_dir_t. >> >> $ ls -ldZ /home/link >> drwxr-xr-x. 61 link link system_u:object_r:user_home_dir_t:s0 8192 >> May 21 >> 12:41 /home/link >> >>> From within the guest however, the volume is unlabeled_t >> >> $ ls -lZd /home/link >> drwxr-xr-x. 61 link link system_u:object_r:unlabeled_t:s0 8192 May >> 21 12:53 / >> home/link >> >> Is there a way to pass the SELinux context through to the guest? Or >> mount the >> volume with the correct options to map SELinux contexts? >> >> > > Hi, > > I'm afraid I actually don't know that much about SELinux but I read > that it relies on using extended attributes in the file system to > accomplish its labeling. > > Do you still experience this issue when you enable extended attribute > support[1] in virtiofsd? The example in the optional parameters > snippet > enables extended attributes with the xattr='on' element. > > Connor > > [1] https://libvirt.org/kbase/virtiofs.html#optional-parameters >
Dr. David Alan Gilbert
2021-Jun-03 19:24 UTC
[Virtio-fs] virtiofs mounted filesystems & SELinux
* Link Dupont (link at sub-pop.net) wrote:> Adding the <binary xattr='on'> element to the <filesystem> device does seem > to spawn virtiofsd with the option string "source=/home,xattr". My guest can > no longer mount the device though. > > It errors with: > > [ 170.225553] 9pnet_virtio: no channels available > mount: mount(2) failed: No such file or directory > > I think what this is doing is causing libvirt to create the device as a > virtiofs device instead of a 9p device. The EL7 kernel doesn't have a > virtiofs driver, so it can't mount virtiofs devices. > > My knowledge is unfortunately limited about the nuances between 9p and > virtiofs. So I'm mostly experimenting by trial-and-error here.They're almost entirely different implementations; if you have a virtiofsd then you're running virtiofs, not 9p, and yes RHEL7 won't like that. (I'm not sure el7 had 9p either??) Dave> On Wed, Jun 2 2021 at 03:55:40 PM -0500, Connor Kuehl <ckuehl at redhat.com> > wrote: > > On 5/21/21 11:59 AM, Link Dupont wrote: > > > > Adding the virtio-fs mailing list. > > > > > I am mounting a filesystem into a domain using the virtiofs driver. > > > > > > <filesystem accessmode="passthrough" type="mount"> > > > <source dir="/home"/> > > > <target dir="/home"/> > > > <driver type="virtiofs"/> > > > </filesystem> > > > > > > Both my host (Fedora 34) and guest (CentOS 8.4) are running with > > > SELinux > > > enforcing. From my host, I can see that the SELinux context type is > > > set to > > > user_home_dir_t. > > > > > > $ ls -ldZ /home/link > > > drwxr-xr-x. 61 link link system_u:object_r:user_home_dir_t:s0 8192 > > > May 21 > > > 12:41 /home/link > > > > > > > From within the guest however, the volume is unlabeled_t > > > > > > $ ls -lZd /home/link > > > drwxr-xr-x. 61 link link system_u:object_r:unlabeled_t:s0 8192 May > > > 21 12:53 / > > > home/link > > > > > > Is there a way to pass the SELinux context through to the guest? Or > > > mount the > > > volume with the correct options to map SELinux contexts? > > > > > > > > > > Hi, > > > > I'm afraid I actually don't know that much about SELinux but I read > > that it relies on using extended attributes in the file system to > > accomplish its labeling. > > > > Do you still experience this issue when you enable extended attribute > > support[1] in virtiofsd? The example in the optional parameters snippet > > enables extended attributes with the xattr='on' element. > > > > Connor > > > > [1] https://libvirt.org/kbase/virtiofs.html#optional-parameters > > > > > _______________________________________________ > Virtio-fs mailing list > Virtio-fs at redhat.com > https://listman.redhat.com/mailman/listinfo/virtio-fs-- Dr. David Alan Gilbert / dgilbert at redhat.com / Manchester, UK