Vivek Goyal <vgoyal@xxxxxxxxxx> writes: > On Mon, Dec 07, 2020 at 10:03:24AM -0500, Paul Moore wrote: >> On Mon, Dec 7, 2020 at 9:43 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: >> > >> > Hi everyone, >> > >> > In [1] we ran into a problem with the current handling of filesystem >> > labeling rules. Basically, it is only possible to specify either >> > genfscon or fs_use_xattr for a given filesystem, but in the case of >> > virtiofs, certain mounts may support security xattrs, while other ones >> > may not. >> > > [ cc virtio-fs list and miklos ] >> Quickly skimming the linked GH issue, it appears that the problem >> really lies in the fact that virtiofs allows one to enable/disable >> xattrs at mount time. What isn't clear to me is why one would need to >> disable xattrs, can you explain that use case? Why does enabling >> xattrs in virtiofs cause problems? > > Its not exactly a mount time option. Its a virtiofs file server option. > > xattr support by default is disabled because it has performance > penalty. Users can enable it if they want to. if SELinux is enabled then you should preferably just use fs_use xattr unconditionally > > So if virtiofsd starts without xattr support and somebody runs a > VM with SELinux enabled, they should still be able to mount virtiofs, > I guess (instead of failing it). SELinux requires that everything is always labeled one way or another and so if SELinux is enabled one should either use genfscon or fs_use xattr Since is support fs_use xattr that should be the default and if any would for any reason want to replace that with genfscon then that is something they have to address (by excluding the fs_use xattr rule and replacing it with a genfscon rule (not sure why anyone would ever want that) Gist is that if SELinux is enabled then one of the two should be present, preferably fs_use xattr (so thats the default). > > Thanks > Vivek > -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
