From: "Harry G. Coin" <hgcoin@gmail.com>
To: virtio-fs@redhat.com
Subject: Re: [Virtio-fs] virtiofs and its optional xattr support vs. fs_use_xattr
Date: Mon, 7 Dec 2020 15:06:07 -0600 [thread overview]
Message-ID: <0d6f34cf-e28e-0035-2c97-4ce8f76e7ef7@gmail.com> (raw)
In-Reply-To: <20201207205209.GD3107@redhat.com>
On 12/7/20 2:52 PM, Vivek Goyal wrote:
> On Mon, Dec 07, 2020 at 10:03:24AM -0500, Paul Moore wrote:
>> On Mon, Dec 7, 2020 at 9:43 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>>> Hi everyone,
>>>
>>> In [1] we ran into a problem with the current handling of filesystem
>>> labeling rules. Basically, it is only possible to specify either
>>> genfscon or fs_use_xattr for a given filesystem, but in the case of
>>> virtiofs, certain mounts may support security xattrs, while other ones
>>> may not.
> [ cc virtio-fs list and miklos ]
>> Quickly skimming the linked GH issue, it appears that the problem
>> really lies in the fact that virtiofs allows one to enable/disable
>> xattrs at mount time. What isn't clear to me is why one would need to
>> disable xattrs, can you explain that use case? Why does enabling
>> xattrs in virtiofs cause problems?
> Its not exactly a mount time option. Its a virtiofs file server option.
>
> xattr support by default is disabled because it has performance
> penalty. Users can enable it if they want to.
>
> So if virtiofsd starts without xattr support and somebody runs a
> VM with SELinux enabled, they should still be able to mount virtiofs,
> I guess (instead of failing it).
I think the earlier virtio mount docs permitted an immutable SElinux
spec for everything in a virtiofs mount , whether or not the the
underlying host had xattrs enabled. Should the mount fail or should
there be a default SELinux spec for the case there are no xattrs in the
host and SELinux is running? There's a question for which good
arguments exist on both sides. Case: I installed a package that had
'restorecon' commands in the install script, but that otherwise
presupposed no SELinux awareness on the user's part. All the 'I want
it to just work' users saw was a failed package installation. The post
of a bug to the package maintainers, who then post a bug to the selinux
devs. The SELinux support folks all say 'well it worked for us', and all
the virtiofs users running on xattr enabled hosts 'see no problem'.
Prevent that frustration: it's better to fail at mount time on the
guest if selinux is enabled on the guest, xattrs and are not available
in the host, with a very visible 'do this to fix it' error message.
That way you generate awareness of a 'selinux issue' before it's a mystery.
Harry
next prev parent reply other threads:[~2020-12-07 21:06 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-07 14:42 virtiofs and its optional xattr support vs. fs_use_xattr Ondrej Mosnacek
2020-12-07 15:03 ` Paul Moore
2020-12-07 20:52 ` Vivek Goyal
2020-12-07 20:52 ` [Virtio-fs] " Vivek Goyal
2020-12-07 21:06 ` Harry G. Coin [this message]
2020-12-07 21:22 ` Dominick Grift
2020-12-07 21:22 ` [Virtio-fs] " Dominick Grift
2020-12-08 14:33 ` Vivek Goyal
2020-12-08 14:33 ` [Virtio-fs] " Vivek Goyal
2020-12-08 15:13 ` Dominick Grift
2020-12-08 15:13 ` [Virtio-fs] " Dominick Grift
2020-12-08 23:41 ` Paul Moore
2020-12-08 23:41 ` [Virtio-fs] " Paul Moore
2020-12-07 17:17 ` James Carter
2020-12-08 23:45 ` Paul Moore
2020-12-09 15:37 ` James Carter
2020-12-10 2:39 ` Paul Moore
2020-12-10 9:29 ` Ondrej Mosnacek
2020-12-10 22:17 ` Vivek Goyal
2020-12-10 22:24 ` Ondrej Mosnacek
2020-12-10 22:30 ` Vivek Goyal
2020-12-11 9:15 ` Ondrej Mosnacek
2020-12-11 13:29 ` Vivek Goyal
2021-01-04 20:14 ` Vivek Goyal
2021-01-05 14:00 ` Ondrej Mosnacek
2021-01-05 14:21 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0d6f34cf-e28e-0035-2c97-4ce8f76e7ef7@gmail.com \
--to=hgcoin@gmail.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.