Re: Virtiofs xattr options on domain xml

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


So as a temporal fix I have changed some things to make it work, I will leave this in case it is useful:

1. Upgrade Debian libvirt packages

    I had to upgrade the libvirt packages in order to use the socket option for virtiofs, the updates were from Debian 11 back-ports and the packages are 'qemu qemu-kvm qemu-system qemu-utils libvirt-clients libvirt-daemon-system virtinst' after installing you should restart libvirtd

2. Run virtiofsd as a systemd service

    In order to use the socket option, we need to run virtiofsd, I decided to run it as a systemd service:

    Description=Virtiofsd for sharing disk WD-WX32D5143K0L

    ExecStart=/usr/lib/qemu/virtiofsd --socket-path=/var/virtiofsd.sock --socket-group=libvirt-qemu -o xattr,source="/mnt/WD-Disk",xattrmap=":map:security.selinux:trusted.virtiofs.:",modcaps=+sys_admin


    The extra options are 'xattr' for enabling those, 'source' to declare the dir to share, 'xattrmap' so you can have different selinux context on the host and the guest, 'modcaps' so it is able to set trusted xattr. The service should run as root.

3. Add the xml to the vm

    With virsh edit you should edit the domain xml of the vm, on the filesystem part to use the socket:

    <filesystem type='mount'>
      <driver type='virtiofs' queue='1024'/>
      <source socket='/var/virtiofsd.sock'/>
      <target dir='media'/>
      <alias name='fs0'/>
      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>

I know that it may not be the most secure way but it is the best way I could found to have a non selinux host with a selinux guest.

On 19/05/22 03:41, Michal Prívozník - mprivozn(a) wrote:
On 5/19/22 00:53, ksobrenat32 wrote:

I have a debian 11 (bullseye) machine running libvirtd version 7.0.0 and
a RHEL 9 virtual machine that I need to share a disk and though about

The disk is a btrfs disk and I have successfully mount it with:

     <filesystem type='mount' accessmode='passthrough'>
       <driver type='virtiofs' queue='1024'/>
       <binary path='/usr/lib/qemu/virtiofsd' xattr='on'>
         <cache mode='always'/>
         <lock posix='on' flock='on'/>
       <source dir='/mnt/WD-Disk'/>
       <target dir='media'/>
       <alias name='fs0'/>
       <address type='pci' domain='0x0000' bus='0x07' slot='0x00'

The problem I have is with selinux, when I try to change the context of
a file inside the virtual machine I get a 'Operation not permitted'
error, I can change the context in the Debian host and see the changes
in the virtual machine but I would want to be able to change the context
from the vm to able to use podman containers with selinux enabled.

I see on the docs
you can run virtiofsd with a xattr option so it is compatible with
selinux but I do not find a way to change the domain xml to add this
option, is there a way to add this option? Does a better option exists
(maybe on the guest side)?

Yeah, I don't think this was implemented. However, virtiofsd is running
as root:root and with no capabilities dropped. So I guess what we're
missing here is -o security_label or might as well implement the remap
as docs suggest which is much safer.


[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux