On 2/10/20 11:06 AM, Stefan Hajnoczi wrote:
> Hi Dan,
> I've CCed the public virtio-fs mailing list because SELinux support in
> virtio-fs has been asked about recently.
>
> It's time to figure out what level of SELinux support will be available
> in virtio-fs. The file system client shares most of its code with FUSE
> and SELinux labels on files are currently not supported in FUSE.
>
> It would be possible to pass through extended attributes to the
> virtiofsd daemon running on the host. However, passing through xattrs
> allows the client to relabel files on the host file system and this
> could pose a security problem. virtiofsd already allows the client to
> set the uid/gid and permissions, but is passing through SELinux xattrs a
> bad idea?
>
> virtiofsd is in a position to mangle extended attribute names
> ("security.selinux" -> "virtiofs.security.selinux") in order to separate
> guest SELinux labels from host SELinux labels.
>
> As someone who knows very little about SELinux I'm eager to hear what
> you think would be a good approach. Secure containers (e.g. Kata
> Containers) are an important use case but virtio-fs can also be used as
> the root file system for a guest (a scenario where full SELinux support
> is needed).
>
> Thanks,
> StefanI am traveling right now. We should add in the SELinux team, and I will be able to look at this on Friday.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Virtio-fs mailing list [email protected] https://www.redhat.com/mailman/listinfo/virtio-fs
