"permission denied" passthrough 9p filesystem share

Ask Fedora
, ,
1

This could be a duplicate of #1346100 (which is already closed) but instead of opening another bug I thought I’d ask here first.

I’m trying to share a local directory to a virtual machine via virtiofs:

$ virsh dumpxml opensuse0 | grep -A5 mapped
    <filesystem type='mount' accessmode='mapped'>
      <source dir='/home/christian/Desktop/test'/>
      <target dir='test'/>
      <alias name='fs0'/>
      <address type='pci' domain='0x0000' bus='0x08' slot='0x00' function='0x0'/>
    </filesystem>

$ ls -Zd ~/Desktop/test/
system_u:object_r:virt_content_t:s0 /home/christian/Desktop/test/

After starting the virtual machine I can mount the shared filesystem, but cannot write to it:

vm$ tail -1 /etc/fstab 
test  /home/dummy/vtest  9p trans=virtio,nofail,exec,noauto,user 0 0

vm$ mount ~/vtest/
vm$ mount | grep vtest
test on /home/dummy/vtest type 9p (rw,nosuid,nodev,noexec,relatime,sync,dirsync,access=client,trans=virtio,user=dummy)

vm$ ls -ld vtest
drwxr-x--- 1 dummy dummy 2 Jun 19 14:26 vtest

vm$ touch vtest/1
touch: cannot touch 'vtest/1': Permission denied

When setting SELinux to permissive mode (via setenforce 0), the write attempt works and I can see the following on the host’s syslog:

Jun 19 16:26:04 horus dbus-broker-launch[2577]: avc:  op=setenforce lsm=selinux enforcing=0 res=1
Jun 19 16:26:05 horus audit[214949]: AVC avc:  denied  { add_name } for  pid=214949 comm="worker" name="1" scontext=unconfined_u:unconfined_r:svirt_t:s0:c259,c799 tcontext=system_u:object_r:virt_content_t:s0 tclass=dir permissive=1
Jun 19 16:26:05 horus audit[214949]: AVC avc:  denied  { create } for  pid=214949 comm="worker" name="1" scontext=unconfined_u:unconfined_r:svirt_t:s0:c259,c799 tcontext=unconfined_u:object_r:virt_content_t:s0 tclass=file permissive=1
Jun 19 16:26:05 horus audit[214949]: AVC avc:  denied  { setattr } for  pid=214949 comm="worker" name="1" dev="dm-0" ino=952802 scontext=unconfined_u:unconfined_r:svirt_t:s0:c259,c799 tcontext=unconfined_u:object_r:virt_content_t:s0 tclass=file permissive=1

So, clearly the write was denied by SELinux. Short of disabling SELinux altogether, I was wondering if someone has an idea on how to fix this.

I did try to set the SELinux context explicitly on the host:

$ sudo semanage fcontext -a -t virt_content_t "/home/christian/Desktop/test(/.*)?"
$ sudo restorecon -vFR ~/Desktop/test/
Relabeled /home/christian/Desktop/test from unconfined_u:object_r:user_home_t:s0 to system_u:object_r:virt_content_t:s0

…but this did not help. This is a freshly installed Fedora 38 machine, no local SELinux policies have been loaded.

2

It should work using svirt_home_t:
Virt-manager and shared folder host/guest permission issue? - #5 by vgaetera

1 Like
3

That did the trick indeed:

sudo semanage fcontext -d -t virt_content_t "/home/christian/Desktop/test(/.*)?"
sudo semanage fcontext -a -t svirt_home_t   "/home/christian/Desktop/test(/.*)?"
sudo restorecon -vFR ~/Desktop/test/

And then write access from within the VM worked just fine. Thanks for the hint @vgaetera, for the second time now! :smiley: