I have a CentOS 7 domain defined in libvirt. One device I have attached is a <filesystem> device, exporting /home on my host as a mount tag in the guest.
<filesystem type='mount' accessmode='passthrough'>
<source dir='/home'/>
<target dir='home'>
</filesystem>
When I start the guest, I mount the home mount tag:
home /home 9p trans=virtio,version=9p2000.L 0 0
This works at a superficial level. The filesystem mounts and I can list the directories within. However, trying to list files deeper in the hierarchy fail with “permission denied” errors. My domain has <seclabel type='dynamic'> and is labeled with the svirt_t type. My guest is running SELinux in permissive mode. The mounted filesystem is typed as nfs_t (presumably because it is a remote volume). When I change the type of my home directory from user_home_t to nfs_t, I can list the contents from within the guest.
Can I force the guest to respect the labels on the volume as they exist on the host instead of getting every file labeled as type nfs_t?