On Thu, May 09, 2024 at 05:10:50PM GMT, Peter Krempa wrote: > Now things I see as problem in case when NFS not supporting xattr is > used. This means that the remote VM can set XATTRs and must use > 'virt_use_nfs' sebool. I must be confused about the purpose of the virt_use_nfs sebool, and I can't seem to find decent documentation about it. Do you have any handy? Have you actually been able to use either SELinux or (trusted) XATTRs on an NFS-mounted filesystem? If so, how? > IMO the only proper option to do this across the XATTR boundary will be > to have an additional step in the finalizing phase of migration that > will unref the libvirt labels. In case when the last reference is gone > it'd need to also restore the label, same as it does now. During > migration there'll need to be a period while two refs are on the libvirt > xattrs. This sounds fairly attractive from a high-level point of view, though I'll admit that I'm concerned about things going out of sync and unintentionally cutting off file access to the target host as a consequence of that. > As said I'll need to actually check what's really happening in regards > of the selinux labels. Please do. Hopefully you'll get further than I was able to :) -- Andrea Bolognani / Red Hat / Virtualization _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
