I’m trying to enable selinux enforcing status in fedora host while running VM inside ZFS filesystem. The problem is that selinux requires virt_image_t context on folder with VM’s image and it seems like zfs does not support virt_image_t context on or inside its filesystem.
Is the path on a filesystem which supports xattrs (as in, no symlinks outside of ZFS etc)? Try running the command under strace (just put strace before it) and see which syscall returns -1.
If it fails on a getxattr or setxattr then it’s likely that.
ZFS normally supports everything SELinux needs, for a long time.
edit: If the context property on a dataset is something other than none, I’d guess that’d cause it too.
Yeah filesystem supports xattrs and have no symlinks outside. Strangely it only doesn’t want to add “virt_image_t” context but other contexts work. Also other folder inside ZFS allows adding “virt_image_t”, just not the one i wanted.
With help from strace, chcon trips at setxattr and returns -1. Btw nice tool thx.
I didn’t find answer why chcon didn’t want to work, so just did fcontext -a -f a -t virt_image_t -r 's0' '/path/to/folder/' && restorecon -v '/path/to/folder/'