Bug 1899703 - [selinux-policy]: Support virtiofs filesystem
Summary: [selinux-policy]: Support virtiofs filesystem
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.4
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: rc
: 8.5
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1915825
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-19 19:51 UTC by Vivek Goyal
Modified: 2022-05-18 15:48 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.14.3-72.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-09 19:42:29 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4420 0 None None None 2021-11-09 19:42:47 UTC

Internal Links: 1965786

Description Vivek Goyal 2020-11-19 19:51:29 UTC 
Description of problem:

Looks like selinux policy does not know about virtiofs filesystem. So when
I do "chcon unconfined_u:object_r:admin_home_t:s0 /mnt/virtiofs/bar.txt", I
get error "-EOPNOTSUPP" from guest kernel.

Daniel Walsh mentioned that we need to modify selinux policy so that it knows about virtiofs. He opened a PR quickly.


https://github.com/fedora-selinux/selinux-policy/pull/478


Users want to support SELinux in guest and keep it disabled on host (for virtiofs). And package installation in guest is failing because restorecon
failed. Following is one of the reports.

https://www.redhat.com/archives/virtio-fs/2020-November/msg00102.html

Opening this bug to make sure we modify the policy to support this use case.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Zdenek Pytela 2020-11-20 17:09:09 UTC 
Note a custom selinux policy module can be used to work around:

# echo '(fsuse xattr virtiofs (system_u object_r fs_t ((s0) (s0))))' > virtiofs.cil 

# semodule -i virtiofs.cil 
# seinfo --fs_use | grep virtiofs
    fs_use_xattr virtiofs system_u:object_r:fs_t:s0;
Comment 2 Vivek Goyal 2020-11-20 18:48:15 UTC 
(In reply to Zdenek Pytela from comment #1)
> Note a custom selinux policy module can be used to work around:
> 
> # echo '(fsuse xattr virtiofs (system_u object_r fs_t ((s0) (s0))))' >
> virtiofs.cil 
> 
> # semodule -i virtiofs.cil 
> # seinfo --fs_use | grep virtiofs
>     fs_use_xattr virtiofs system_u:object_r:fs_t:s0;

Thanks. I tried it and it works for me. I can successfully change the label on virtiofs file.
Comment 4 Zdenek Pytela 2021-05-07 17:07:29 UTC 
This bz depends on bz#1915825, which may be in turn resolved with major kernel selinux subsystem backport in Red Hatbz#1934093.

Adding the rule as indicated in #c1 without the appropriate kernel change would lead to regression: new virtiofs mounts would have unlabeled_t type if the original fs did not support xattr or had selinux disabled.
Comment 8 Zdenek Pytela 2021-06-28 09:56:12 UTC 
Commit to backport:
commit 5580e9a576f759820dbc3387961ce58a959221dc
Author: Daniel J Walsh <dwalsh>
Date:   Fri Jan 29 10:46:20 2021 -0500

    virtiofs supports Xattrs and SELinux
Comment 15 errata-xmlrpc 2021-11-09 19:42:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420
Comment 16 jerinjohn2 2022-05-18 15:48:17 UTC 
@Vivek Goyal  Could you please share the buffer value received from host for the opcode fuse_xattribute from Guest.
Note You need to log in before you can comment on or make changes to this bug.