[systemd-devel] 219/Fedora22: NFS mounts do not set SELINUX label to nfs_t: errno=-22
Lennart Poettering
lennart at poettering.net
Tue May 26 06:46:20 PDT 2015
On Sun, 24.05.15 15:01, Anthony Alba (ascanio.alba7 at gmail.com) wrote:
> Hi,
>
> On Fedora 22, systemd 219, NFS mounts no longer acquire a default label nfs_t.
>
> mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_t
> mount.nfs: an incorrect mount option was specified
> [ 8316.276744] SELinux:
> security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51,
> type nfs4) errno=-22
>
>
> To my surprise, it seems to acquire labels from the NFS server (Fedora
> 22/nfs4) - how is this possible?
>
> But..it breaks libvirtd/kvm: it sees the "right" label if this were a
> local filesystem but audit2allow complains:
>
>
> ls -lZ guestfs/centos7.img
> -rw-r--r--. 1 qemu qemu system_u:object_r:virt_image_t:s0 22987538432
> May 24 14:56 guestfs/centos7.img
> ## for a image in /var/lib/libvirt this is the correct label.
> ## I do not know how it figured that from the NFS server
>
> SELinux is preventing qemu-system-x86 from read access on the file
> centos7.img (on NFS share).
>
> On Fedora 21, the files acquire the label nfs_t and setsebool -P virt_use_nfs=on
This is unlikely to be related to systemd, we don't really do anything
special with NFS and especially not its selinux support. We simply
invoke util-linux' mount command, which in turn calls mount.nfs of the
nfs-utils package.
Please contact the nfs-utils guys,
thank you,
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list