On Thu, May 09, 2024 at 04:47:48PM +0000, Andrea Bolognani wrote: > On Thu, May 09, 2024 at 05:10:50PM GMT, Peter Krempa wrote: > > Now things I see as problem in case when NFS not supporting xattr is > > used. This means that the remote VM can set XATTRs and must use > > 'virt_use_nfs' sebool. > > I must be confused about the purpose of the virt_use_nfs sebool, and > I can't seem to find decent documentation about it. Do you have any > handy? Out of the box, there usually is no ability for QEMU to access files stored on NFS whatsoever, because NFS lacks support for storing (svirt_image_t:MCS) labels in xattr. Setting virt_use_nfs, toggles the policy such that QEMU can now access *any* nfs_t file. This lets QEMU works on NFS lacking label support, but at the cost of killing MAC protection against any other non-VM related files that might be stored on NFS. DAC protection still applies though, since we're not running QEMU as root. If an NFS deployment *does* support SELinux labels, there is no reason to use virt_use_nfs, and it should not be used due to reduced MAC protection. If an NFS deployment does *not* support SELinux labels, then virt_use_nfs must be turned on With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
