Re: Virtiofs xattr options on domain xml

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/19/22 00:53, ksobrenat32 wrote:
> Hi!
> 
> I have a debian 11 (bullseye) machine running libvirtd version 7.0.0 and
> a RHEL 9 virtual machine that I need to share a disk and though about
> virtiofs.
> 
> The disk is a btrfs disk and I have successfully mount it with:
> 
>     <filesystem type='mount' accessmode='passthrough'>
>       <driver type='virtiofs' queue='1024'/>
>       <binary path='/usr/lib/qemu/virtiofsd' xattr='on'>
>         <cache mode='always'/>
>         <lock posix='on' flock='on'/>
>       </binary>
>       <source dir='/mnt/WD-Disk'/>
>       <target dir='media'/>
>       <alias name='fs0'/>
>       <address type='pci' domain='0x0000' bus='0x07' slot='0x00'
> function='0x0'/>
>     </filesystem>
> 
> The problem I have is with selinux, when I try to change the context of
> a file inside the virtual machine I get a 'Operation not permitted'
> error, I can change the context in the Debian host and see the changes
> in the virtual machine but I would want to be able to change the context
> from the vm to able to use podman containers with selinux enabled.
> 
> I see on the docs
> https://qemu.readthedocs.io/en/latest/tools/virtiofsd.html#selinux-support
> you can run virtiofsd with a xattr option so it is compatible with
> selinux but I do not find a way to change the domain xml to add this
> option, is there a way to add this option? Does a better option exists
> (maybe on the guest side)?
> 
> 


Yeah, I don't think this was implemented. However, virtiofsd is running
as root:root and with no capabilities dropped. So I guess what we're
missing here is -o security_label or might as well implement the remap
as docs suggest which is much safer.

Michal




[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux