SELinux: Correct way to install mount/automount units

muttmanor · May 3, 2026, 9:29am

Hello all,
I’m using mount/automount units to mount the SMB shares of my NAS. I reinstalled F44 and did my post-install chores, e.g. put the unit files in place:

jpo@fedora-strix ~> ls -l /etc/systemd/system/nas-*
-rw-r--r--. 1 root root 171 25. Jul 2025  /etc/systemd/system/nas-backup.automount
-rw-r--r--. 1 root root 247 26. Jul 2025  /etc/systemd/system/nas-backup.mount
-rw-r--r--. 1 root root 168  7. Feb 18:01 /etc/systemd/system/nas-music.automount
-rw-r--r--. 1 root root 243  7. Feb 17:52 /etc/systemd/system/nas-music.mount
-rw-r--r--. 1 root root 171 14. Dez 18:55 /etc/systemd/system/nas-photos.automount
-rw-r--r--. 1 root root 244 14. Dez 18:54 /etc/systemd/system/nas-photos.mount
-rw-r--r--. 1 root root 168 26. Jul 2025  /etc/systemd/system/nas-video.automount
-rw-r--r--. 1 root root 243  7. Feb 18:00 /etc/systemd/system/nas-video.mount

This didn’t initially work, because SELinux prevented systemd from reading the unit files. Everything worked as expected with sudo setenforce permissive, but failed with sudo setenforce Enforcing. I kind of solved the issue by doing

ausearch -c 'systemd' --raw | audit2allow -M my-systemd
semodule -i my-systemd.pp

But this doesn’t feel right. So: Is this the correct way? If not, what is the correct way of doing this?

Thanks in advance

muttmanor · May 3, 2026, 10:05am

Replying to myself here. I did some more research and did this: chcon -t systemd_unit_file_t nas-*

Now systemd can read the unit files, but the documentation says, that this might not be enough:

The chcon command changes the SELinux context for files. However, changes made with the chcon command do not survive a file system relabel, or the execution of the restorecon command

grumpey · May 3, 2026, 11:16am

You’ll need to use semanage
For reference:

richiedaze · May 3, 2026, 11:19am

Did you create those unit files in another directory then moved them there?

vgaetera · May 3, 2026, 11:51am

This is what you should start with:

sudo restorecon -v -R /etc/systemd

If the issue persists, proceed with inspecting the output:

journalctl -b -g avc | audit2allow

muttmanor · May 3, 2026, 12:27pm

Thank you.

I’m not sure that did anything. It worked after my chcon changes (e.g. chcon -t systemd_unit_file_t nas-*), so for now the problem is kind of solved, I’m just not sure it’s solved correctly.

Here is the state AFTER sudo restorecon -v -R /etc/systemd

jpo@fedora-strix /e/s/system> ls -lZ /etc/systemd/system/nas-*
-rw-r--r--. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 171 25. Jul 2025  /etc/systemd/system/nas-backup.automount
-rw-r--r--. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 247 26. Jul 2025  /etc/systemd/system/nas-backup.mount
-rw-r--r--. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 168  7. Feb 18:01 /etc/systemd/system/nas-music.automount
-rw-r--r--. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 243  7. Feb 17:52 /etc/systemd/system/nas-music.mount
-rw-r--r--. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 171 14. Dez 18:55 /etc/systemd/system/nas-photos.automount
-rw-r--r--. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 244 14. Dez 18:54 /etc/systemd/system/nas-photos.mount
-rw-r--r--. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 168 26. Jul 2025  /etc/systemd/system/nas-video.automount
-rw-r--r--. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 243  7. Feb 18:00 /etc/systemd/system/nas-video.mount

which looks not different.

muttmanor · May 3, 2026, 12:29pm

I tried that and got

semanage fcontext -a -t systemd_unit_file_t /etc/systemd/system/nas-backup.automount
ValueError: File spec /etc/systemd/system/nas-backup.automount conflicts with equivalency rule '/etc/systemd/system /usr/lib/systemd/system'; Try adding '/usr/lib/systemd/system/nas-backup.automount' instead

muttmanor · May 3, 2026, 12:33pm

Yes. They are from my “post-install chores” backup.

richiedaze · May 3, 2026, 9:02pm

You gotta use the -Z option.
cp -Z ~/.local/bin/post-install/nas-* /etc/systemd/system/
So that the labels change to the destination directory default label.

plautrba · May 4, 2026, 7:32am

Mutt Manor notifications@fedoraproject.discoursemail.com writes:

I tried that and got

semanage fcontext -a -t systemd_unit_file_t /etc/systemd/system/nas-backup.automount
ValueError: File spec /etc/systemd/system/nas-backup.automount conflicts with equivalency rule '/etc/systemd/system /usr/lib/systemd/system'; Try adding '/usr/lib/systemd/system/nas-backup.automount' instead

Have you noticed the “Try adding ‘/usr/lib/systemd/system/nas-backup.automount’ instead”
message?

It means you should try:

semanage fcontext -a -t systemd_unit_file_t /usr/lib/systemd/system/nas-backup.automount

Topic		Replies	Views
SELinux mount context causes Systemd issue Ask Fedora	8	1541	May 18, 2019
New to Fedora Workstation: Some questions regarding SELinux Ask Fedora selinux , workstation	3	333	June 3, 2024
SELinux denials for systemd processes Project Discussion silverblue-team	12	2800	September 2, 2020
Incredibly long sudo delays, lockscreen freezes because of failing systemd units Ask Fedora f32 , pam , systemd , gnome , desktop	18	2016	October 1, 2020
How to set SELinux default labels to a mount? Ask Fedora selinux , coreos , fcos	3	814	June 25, 2025

SELinux: Correct way to install mount/automount units

Related topics