[systemd-devel] 219/Fedora22: NFS mounts do not set SELINUX label to nfs_t: errno=-22

Daniel J Walsh dwalsh at redhat.com
Thu May 28 03:16:03 PDT 2015 


On 05/26/2015 09:46 AM, Lennart Poettering wrote:
> On Sun, 24.05.15 15:01, Anthony Alba (ascanio.alba7 at gmail.com) wrote:
>
>> Hi,
>>
>> On Fedora 22, systemd 219, NFS mounts no longer acquire a default label nfs_t.
>>
>> mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_t
>> mount.nfs: an incorrect mount option was specified
>> [ 8316.276744] SELinux:
>> security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51,
>> type nfs4) errno=-22
>>
>>
>> To my surprise, it seems to acquire labels from the NFS server (Fedora
>> 22/nfs4)  - how is this possible?
>>
>> But..it breaks libvirtd/kvm: it sees the "right" label if this were a
>> local filesystem but audit2allow complains:
>>
>>
>> ls -lZ guestfs/centos7.img
>> -rw-r--r--. 1 qemu qemu system_u:object_r:virt_image_t:s0 22987538432
>> May 24 14:56 guestfs/centos7.img
>> ## for a image in /var/lib/libvirt this is the correct label.
>> ## I do not know how it figured that from the NFS server
>>
>> SELinux is preventing qemu-system-x86 from read access on the file
>> centos7.img (on NFS share).
>>
>> On Fedora 21, the files acquire the label nfs_t and setsebool -P virt_use_nfs=on
> This is unlikely to be related to systemd, we don't really do anything
> special with NFS and especially not its selinux support. We simply
> invoke util-linux' mount command, which in turn calls mount.nfs of the
> nfs-utils package.
>
> Please contact the nfs-utils guys,
>
> thank you,
>
> Lennart
>
>
nfs_t should be by default for labels.  The example you have was not
using a complete label.

mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_t
mount.nfs: an incorrect mount option was specified
[ 8316.276744] SELinux:
security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51,
type nfs4) errno=-22

The label should be

system_u:object_r:nfs_t:s0
not
system_u:object_r:nfs_t

Nfs does now support labeling if you use a RHEL7 or Fedora based server
and client.  But it should still default to nfs_t

More information about the systemd-devel mailing list