Bug 1899703

Summary: [selinux-policy]: Support virtiofs filesystem
Product: Red Hat Enterprise Linux 8 Reporter: Vivek Goyal <vgoyal>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 8.4CC: dgilbert, dwalsh, jerinjohn2, lvrabec, mmalik, mszeredi, omosnace, plautrba, ssekidde, stefanha
Target Milestone: rcKeywords: Triaged
Target Release: 8.5   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-72.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:42:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1915825    
Bug Blocks:    

Description Vivek Goyal 2020-11-19 19:51:29 UTC 
Description of problem:

Looks like selinux policy does not know about virtiofs filesystem. So when
I do "chcon unconfined_u:object_r:admin_home_t:s0 /mnt/virtiofs/bar.txt", I
get error "-EOPNOTSUPP" from guest kernel.

Daniel Walsh mentioned that we need to modify selinux policy so that it knows about virtiofs. He opened a PR quickly.


https://github.com/fedora-selinux/selinux-policy/pull/478


Users want to support SELinux in guest and keep it disabled on host (for virtiofs). And package installation in guest is failing because restorecon
failed. Following is one of the reports.

https://www.redhat.com/archives/virtio-fs/2020-November/msg00102.html

Opening this bug to make sure we modify the policy to support this use case.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Zdenek Pytela 2020-11-20 17:09:09 UTC 
Note a custom selinux policy module can be used to work around:

# echo '(fsuse xattr virtiofs (system_u object_r fs_t ((s0) (s0))))' > virtiofs.cil 

# semodule -i virtiofs.cil 
# seinfo --fs_use | grep virtiofs
    fs_use_xattr virtiofs system_u:object_r:fs_t:s0;
Comment 2 Vivek Goyal 2020-11-20 18:48:15 UTC 
(In reply to Zdenek Pytela from comment #1)
> Note a custom selinux policy module can be used to work around:
> 
> # echo '(fsuse xattr virtiofs (system_u object_r fs_t ((s0) (s0))))' >
> virtiofs.cil 
> 
> # semodule -i virtiofs.cil 
> # seinfo --fs_use | grep virtiofs
>     fs_use_xattr virtiofs system_u:object_r:fs_t:s0;

Thanks. I tried it and it works for me. I can successfully change the label on virtiofs file.
Comment 4 Zdenek Pytela 2021-05-07 17:07:29 UTC 
This bz depends on bz#1915825, which may be in turn resolved with major kernel selinux subsystem backport in bz#1934093.

Adding the rule as indicated in #c1 without the appropriate kernel change would lead to regression: new virtiofs mounts would have unlabeled_t type if the original fs did not support xattr or had selinux disabled.
Comment 8 Zdenek Pytela 2021-06-28 09:56:12 UTC 
Commit to backport:
commit 5580e9a576f759820dbc3387961ce58a959221dc
Author: Daniel J Walsh <dwalsh>
Date:   Fri Jan 29 10:46:20 2021 -0500

    virtiofs supports Xattrs and SELinux
Comment 15 errata-xmlrpc 2021-11-09 19:42:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420
Comment 16 jerinjohn2 2022-05-18 15:48:17 UTC 
@Vivek Goyal  Could you please share the buffer value received from host for the opcode fuse_xattribute from Guest.