Re: [systemd-devel] 219/Fedora22: NFS mounts do not set SELINUX label to nfs_t: errno=-22
On 05/26/2015 09:46 AM, Lennart Poettering wrote: On Sun, 24.05.15 15:01, Anthony Alba (ascanio.al...@gmail.com) wrote: Hi, On Fedora 22, systemd 219, NFS mounts no longer acquire a default label nfs_t. mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_t mount.nfs: an incorrect mount option was specified [ 8316.276744] SELinux: security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51, type nfs4) errno=-22 To my surprise, it seems to acquire labels from the NFS server (Fedora 22/nfs4) - how is this possible? But..it breaks libvirtd/kvm: it sees the right label if this were a local filesystem but audit2allow complains: ls -lZ guestfs/centos7.img -rw-r--r--. 1 qemu qemu system_u:object_r:virt_image_t:s0 22987538432 May 24 14:56 guestfs/centos7.img ## for a image in /var/lib/libvirt this is the correct label. ## I do not know how it figured that from the NFS server SELinux is preventing qemu-system-x86 from read access on the file centos7.img (on NFS share). On Fedora 21, the files acquire the label nfs_t and setsebool -P virt_use_nfs=on This is unlikely to be related to systemd, we don't really do anything special with NFS and especially not its selinux support. We simply invoke util-linux' mount command, which in turn calls mount.nfs of the nfs-utils package. Please contact the nfs-utils guys, thank you, Lennart nfs_t should be by default for labels. The example you have was not using a complete label. mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_t mount.nfs: an incorrect mount option was specified [ 8316.276744] SELinux: security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51, type nfs4) errno=-22 The label should be system_u:object_r:nfs_t:s0 not system_u:object_r:nfs_t Nfs does now support labeling if you use a RHEL7 or Fedora based server and client. But it should still default to nfs_t ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] 219/Fedora22: NFS mounts do not set SELINUX label to nfs_t: errno=-22
On Sun, 24.05.15 15:01, Anthony Alba (ascanio.al...@gmail.com) wrote: Hi, On Fedora 22, systemd 219, NFS mounts no longer acquire a default label nfs_t. mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_t mount.nfs: an incorrect mount option was specified [ 8316.276744] SELinux: security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51, type nfs4) errno=-22 To my surprise, it seems to acquire labels from the NFS server (Fedora 22/nfs4) - how is this possible? But..it breaks libvirtd/kvm: it sees the right label if this were a local filesystem but audit2allow complains: ls -lZ guestfs/centos7.img -rw-r--r--. 1 qemu qemu system_u:object_r:virt_image_t:s0 22987538432 May 24 14:56 guestfs/centos7.img ## for a image in /var/lib/libvirt this is the correct label. ## I do not know how it figured that from the NFS server SELinux is preventing qemu-system-x86 from read access on the file centos7.img (on NFS share). On Fedora 21, the files acquire the label nfs_t and setsebool -P virt_use_nfs=on This is unlikely to be related to systemd, we don't really do anything special with NFS and especially not its selinux support. We simply invoke util-linux' mount command, which in turn calls mount.nfs of the nfs-utils package. Please contact the nfs-utils guys, thank you, Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] 219/Fedora22: NFS mounts do not set SELINUX label to nfs_t: errno=-22
Hi, On Fedora 22, systemd 219, NFS mounts no longer acquire a default label nfs_t. mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_t mount.nfs: an incorrect mount option was specified [ 8316.276744] SELinux: security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51, type nfs4) errno=-22 To my surprise, it seems to acquire labels from the NFS server (Fedora 22/nfs4) - how is this possible? But..it breaks libvirtd/kvm: it sees the right label if this were a local filesystem but audit2allow complains: ls -lZ guestfs/centos7.img -rw-r--r--. 1 qemu qemu system_u:object_r:virt_image_t:s0 22987538432 May 24 14:56 guestfs/centos7.img ## for a image in /var/lib/libvirt this is the correct label. ## I do not know how it figured that from the NFS server SELinux is preventing qemu-system-x86 from read access on the file centos7.img (on NFS share). On Fedora 21, the files acquire the label nfs_t and setsebool -P virt_use_nfs=on Any ideas, Anthony ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
