On Fedora 22, systemd 219, NFS mounts no longer acquire a default label nfs_t.

mount 1 -orootcontext=system_u:object_r:nfs_t
mount.nfs: an incorrect mount option was specified
[ 8316.276744] SELinux:
security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51,
type nfs4) errno=-22

To my surprise, it seems to acquire labels from the NFS server (Fedora
22/nfs4)  - how is this possible?

But..it breaks libvirtd/kvm: it sees the "right" label if this were a
local filesystem but audit2allow complains:

ls -lZ guestfs/centos7.img
-rw-r--r--. 1 qemu qemu system_u:object_r:virt_image_t:s0 22987538432
May 24 14:56 guestfs/centos7.img
## for a image in /var/lib/libvirt this is the correct label.
## I do not know how it figured that from the NFS server

SELinux is preventing qemu-system-x86 from read access on the file
centos7.img (on NFS share).

On Fedora 21, the files acquire the label nfs_t and setsebool -P virt_use_nfs=on

Any ideas,

systemd-devel mailing list

Reply via email to