On 5/19/22 00:53, ksobrenat32 wrote: > Hi! > > I have a debian 11 (bullseye) machine running libvirtd version 7.0.0 and > a RHEL 9 virtual machine that I need to share a disk and though about > virtiofs. > > The disk is a btrfs disk and I have successfully mount it with: > > <filesystem type='mount' accessmode='passthrough'> > <driver type='virtiofs' queue='1024'/> > <binary path='/usr/lib/qemu/virtiofsd' xattr='on'> > <cache mode='always'/> > <lock posix='on' flock='on'/> > </binary> > <source dir='/mnt/WD-Disk'/> > <target dir='media'/> > <alias name='fs0'/> > <address type='pci' domain='0x0000' bus='0x07' slot='0x00' > function='0x0'/> > </filesystem> > > The problem I have is with selinux, when I try to change the context of > a file inside the virtual machine I get a 'Operation not permitted' > error, I can change the context in the Debian host and see the changes > in the virtual machine but I would want to be able to change the context > from the vm to able to use podman containers with selinux enabled. > > I see on the docs > https://qemu.readthedocs.io/en/latest/tools/virtiofsd.html#selinux-support > you can run virtiofsd with a xattr option so it is compatible with > selinux but I do not find a way to change the domain xml to add this > option, is there a way to add this option? Does a better option exists > (maybe on the guest side)? > > Yeah, I don't think this was implemented. However, virtiofsd is running as root:root and with no capabilities dropped. So I guess what we're missing here is -o security_label or might as well implement the remap as docs suggest which is much safer. Michal
