SELinux with Libvirt VM in ZFS filesystem

I’m trying to enable selinux enforcing status in fedora host while running VM inside ZFS filesystem. The problem is that selinux requires virt_image_t context on folder with VM’s image and it seems like zfs does not support virt_image_t context on or inside its filesystem.

Problems occurs when trying:

chcon -R -t virt_image_t /path/to/folder/with/vm/image

Command returns “Operation not supported”

Is the path on a filesystem which supports xattrs (as in, no symlinks outside of ZFS etc)? Try running the command under strace (just put strace before it) and see which syscall returns -1.

If it fails on a getxattr or setxattr then it’s likely that.

ZFS normally supports everything SELinux needs, for a long time.

edit: If the context property on a dataset is something other than none, I’d guess that’d cause it too.

You can’t change context labels if selinux is disabled, if that’s your case then set it to permissive mode instead if you need to temporarily

1 Like

Yeah filesystem supports xattrs and have no symlinks outside. Strangely it only doesn’t want to add “virt_image_t” context but other contexts work. Also other folder inside ZFS allows adding “virt_image_t”, just not the one i wanted.

With help from strace, chcon trips at setxattr and returns -1. Btw nice tool thx.

I didn’t find answer why chcon didn’t want to work, so just did fcontext -a -f a -t virt_image_t -r 's0' '/path/to/folder/' && restorecon -v '/path/to/folder/'

Now context is correct.