libvirt users - Jun 2021 - [Virtio-fs] virtiofs mounted filesystems & SELinux

On Thu, Jun 03, 2021 at 10:14:24PM -0400, Link Dupont
wrote:
> On Thu, Jun 3 2021 at 08:56:46 PM -0400, Link Dupont <link at
sub-pop.net>
> wrote:
> >  reproducible scenarios
> 
> Alright. I reran my tests with a CentOS 8 guest. On CentOS 8 (with a
> virtiofs filesystem and with xattr on), the type of files in the mounted
> hierarchy are unlabeled_t. I can work around that by switching SELinux in
> the guest to permissive or disabled.
cc Dan Walsh. I was discussing this with Dan Walsh yesterday in general.

In general, if we want to enable SELinux both on host and guest, then
both host and guest should have same SELinux policy. Otherwise there
will be lot of different kind of conflicts because both host and
guest will try to work with same selinux label. I guess that in
practice this will be very hard to achieve as people will run
different host and guest flavors and these might have different
policies.

So another option is to rename selinux xattr in virtiofs so that
any selinux xattr coming from guest is saved as
user.virtiofs.security.selinux xattr on host. That way host and guest
can have their separate labels without interfering with each other.
David Gilbert already has added support for this. I can't remember
the exact syntax but you can figure it out from documentation here
in xattr remappig section.

https://github.com/qemu/qemu/blob/master/docs/tools/virtiofsd.rst

But I have question with selinux xattr remapping. What will happen
to initial labels when fs is exported. I mean until and unless
some process in guest labels all the exported files, they all
with either be unlabeled or pick some generic label for all the
files.

Another option is, can we use a single label for whole of the
virtiofs (using context=<label>) option in guest. That way nothing
is saved in files as such. But this means that processes in guest
can't have different selinux labels on different virtiofs dir/files.

Dan, what do you think?

Thanks
Vivek

> 
> With a CentOS 7 guest, things get less usable. I digested this to a
> reproducible scenario.
> 
> Build a disk image with `virt-builder`, configuring the CentOS Plus kernel
> to get 9p support.
> 
> virt-builder centos-7.8 \
> --root-password password:centos \
> --output centos-7.8.qcow2 \
> --install yum-utils \
> --run-command 'yum-config-manager --enable centosplus' \
> --run-command 'sed -ie
"s/DEFAULTKERNEL=kernel/DEFAULTKERNEL=kernel-plus/"
> /etc/sysconfig/kernel' \
> --append-line
'/etc/dracut.conf.d/virtio.conf:add_drivers+="virtio_scsi
> virtio_pci virtio_console"' \
> --append-line '/etc/modules-load.d/9pnet_virtio.conf:9pnet_virtio'
\
> --install kernel-plus \
> --append-line '/etc/fstab:home /home 9p trans=virtio,version=9p2000.L 0
0'
> 
> Install the volume into the `default` pool.
> 
> sudo install -m644 centos-7.8.qcow2 /var/lib/libvirt/images
> 
> Next, define a domain using the disk image (using `virt-install` here for
> "easy mode").
> 
> virt-install \
> --import \
> --os-variant centos7.0 \
> --name centos \
> --ram 2048 \
> --disk path=/var/lib/libvirt/images/centos-7.8.qcow2 \
> --memorybacking access.mode=shared \
> --filesystem source=/home,target=home,accessmode=passthrough \
> --autoconsole none
> 
> Now with SELinux enforcing, I cannot list the contents of the directories
in
> the mounted hierarchy.
> 
> [root at localhost ~]# ls -lZ /home/link
> ls: cannot open directory /home/link: Permission denied
> 
> 
> 
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs at redhat.com
> https://listman.redhat.com/mailman/listinfo/virtio-fs
>

On Fri, Jun 04, 2021 at 09:44:39AM -0400, Vivek Goyal
wrote:
> On Thu, Jun 03, 2021 at 10:14:24PM -0400, Link Dupont wrote:
> > On Thu, Jun 3 2021 at 08:56:46 PM -0400, Link Dupont <link at
sub-pop.net>
> > wrote:
> > >  reproducible scenarios
> > 
> > Alright. I reran my tests with a CentOS 8 guest. On CentOS 8 (with a
> > virtiofs filesystem and with xattr on), the type of files in the
mounted
> > hierarchy are unlabeled_t. I can work around that by switching SELinux
in
> > the guest to permissive or disabled.
> 
> cc Dan Walsh. I was discussing this with Dan Walsh yesterday in general.
> 
> In general, if we want to enable SELinux both on host and guest, then
> both host and guest should have same SELinux policy. Otherwise there
> will be lot of different kind of conflicts because both host and
> guest will try to work with same selinux label. I guess that in
> practice this will be very hard to achieve as people will run
> different host and guest flavors and these might have different
> policies.
Yeah, I think there's little to no chance of people keeping the
same SELinux policy in host/guest, except in very tightly controlled
narrow use cases where the host admin exerts direct control over
the precise guest config.

> So another option is to rename selinux xattr in virtiofs so that
> any selinux xattr coming from guest is saved as
> user.virtiofs.security.selinux xattr on host. That way host and guest
> can have their separate labels without interfering with each other.
> David Gilbert already has added support for this. I can't remember
> the exact syntax but you can figure it out from documentation here
> in xattr remappig section.
For general purpose virt usage, I think remapping in some way is
likely to be needed as the default strategy.
> https://github.com/qemu/qemu/blob/master/docs/tools/virtiofsd.rst
> 
> But I have question with selinux xattr remapping. What will happen
> to initial labels when fs is exported. I mean until and unless
> some process in guest labels all the exported files, they all
> with either be unlabeled or pick some generic label for all the
> files.
I'd say you need some mechanism to force a re-label inside the
guest. Normally a relabel will be done in /.autorelabel file
is present, or in certain other scenarios like selinux policy
RPM updates.

We wouldn't want to force a relabel neccesarily for the entire
FS if we're just hotplugging a new virtiofs export though. So
perhaps there's scope for supporting usage of a per-mount
point relabel trigger. eg Host creates $VIRTIOFS-ROOT/.autorelabel
and whenever the guest sees a new virtiofs export arriving, it
can look for $VIRTIOFS-MOUNT-POINT/.autorelabel
> Another option is, can we use a single label for whole of the
> virtiofs (using context=<label>) option in guest. That way nothing
> is saved in files as such. But this means that processes in guest
> can't have different selinux labels on different virtiofs dir/files.
Forcing a single label for the entire export is passable as a
fallback plan. This is what people have done for years with
NFS v3 mounts. It has annoying usage limitations though, so
if at all possible remapping is a preferrable approach.
> 
> Dan, what do you think?
> 
> Thanks
> Vivek
> 
> 
> > 
> > With a CentOS 7 guest, things get less usable. I digested this to a
> > reproducible scenario.
> > 
> > Build a disk image with `virt-builder`, configuring the CentOS Plus
kernel
> > to get 9p support.
> > 
> > virt-builder centos-7.8 \
> > --root-password password:centos \
> > --output centos-7.8.qcow2 \
> > --install yum-utils \
> > --run-command 'yum-config-manager --enable centosplus' \
> > --run-command 'sed -ie
"s/DEFAULTKERNEL=kernel/DEFAULTKERNEL=kernel-plus/"
> > /etc/sysconfig/kernel' \
> > --append-line
'/etc/dracut.conf.d/virtio.conf:add_drivers+="virtio_scsi
> > virtio_pci virtio_console"' \
> > --append-line
'/etc/modules-load.d/9pnet_virtio.conf:9pnet_virtio' \
> > --install kernel-plus \
> > --append-line '/etc/fstab:home /home 9p
trans=virtio,version=9p2000.L 0 0'
> > 
> > Install the volume into the `default` pool.
> > 
> > sudo install -m644 centos-7.8.qcow2 /var/lib/libvirt/images
> > 
> > Next, define a domain using the disk image (using `virt-install` here
for
> > "easy mode").
> > 
> > virt-install \
> > --import \
> > --os-variant centos7.0 \
> > --name centos \
> > --ram 2048 \
> > --disk path=/var/lib/libvirt/images/centos-7.8.qcow2 \
> > --memorybacking access.mode=shared \
> > --filesystem source=/home,target=home,accessmode=passthrough \
> > --autoconsole none
> > 
> > Now with SELinux enforcing, I cannot list the contents of the
directories in
> > the mounted hierarchy.
> > 
> > [root at localhost ~]# ls -lZ /home/link
> > ls: cannot open directory /home/link: Permission denied
> > 
> > 
> > 
> > _______________________________________________
> > Virtio-fs mailing list
> > Virtio-fs at redhat.com
> > https://listman.redhat.com/mailman/listinfo/virtio-fs
> > 
> 
Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|