unprivileged qemu (svirt_t) and virtiofs #2124

cgwalters · 2024-05-17T14:15:01Z

Trying to enable a virtiofs mount for a domain with unprivileged libvirt gives:

May 17 10:09:38 xenon audit[1556282]: AVC avc:  denied  { connectto } for  pid=1556282 comm="qemu-system-x86" path="/var/home/walters/.config/libvirt/qemu/lib/domain-12-podman-bootc-8cb7ffb/fs0-fs.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c156,c869 tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c156,c869 tclass=unix_stream_socket permissive=1

I think to fix this, we'd need to also have libvirt fork virtiofsd under svirt_t? Or ensure that the target socket is labeled.

A workaround here is to turn off "svirt" by adding e.g. <seclabel type='none'/> to the domain XML.

The text was updated successfully, but these errors were encountered:

Prep for adding virtiofs support. See fedora-selinux/selinux-policy#2124 for the tracker. Signed-off-by: Colin Walters <walters@verbum.org>

zpytela · 2024-08-07T17:46:34Z

Resolved some time ago.

f41# sesearch -A -s svirt_t -t unconfined_t -c unix_stream_socket -p connectto
allow svirt_t unconfined_t:unix_stream_socket connectto;

cgwalters added a commit to cgwalters/podman-bootc-cli that referenced this issue May 17, 2024

libvirt: Disable sVirt (SELinux) separation

116b5d1

Prep for adding virtiofs support. See fedora-selinux/selinux-policy#2124 for the tracker. Signed-off-by: Colin Walters <walters@verbum.org>

zpytela closed this as completed Aug 7, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

unprivileged qemu (svirt_t) and virtiofs #2124

unprivileged qemu (svirt_t) and virtiofs #2124

cgwalters commented May 17, 2024

zpytela commented Aug 7, 2024

unprivileged qemu (svirt_t) and virtiofs #2124

unprivileged qemu (svirt_t) and virtiofs #2124

Comments

cgwalters commented May 17, 2024

zpytela commented Aug 7, 2024