SELinux type mapping 9p filesystems in guests

I have a CentOS 7 domain defined in libvirt. One device I have attached is a <filesystem> device, exporting /home on my host as a mount tag in the guest.

<filesystem type='mount' accessmode='passthrough'>
  <source dir='/home'/>   
  <target dir='home'>
</filesystem>

When I start the guest, I mount the home mount tag:

home /home 9p trans=virtio,version=9p2000.L 0 0

This works at a superficial level. The filesystem mounts and I can list the directories within. However, trying to list files deeper in the hierarchy fail with “permission denied” errors. My domain has <seclabel type='dynamic'> and is labeled with the svirt_t type. My guest is running SELinux in permissive mode. The mounted filesystem is typed as nfs_t (presumably because it is a remote volume). When I change the type of my home directory from user_home_t to nfs_t, I can list the contents from within the guest.

Can I force the guest to respect the labels on the volume as they exist on the host instead of getting every file labeled as type nfs_t?

2 Likes
1 Like

Thank you. That does work. I don’t like the idea of relabeling my entire home directory to svirt_home_t though. I’ll have to see if I can figure out a workaround for the relabeling.

2 Likes

You can create a custom policy from the AVC message:
https://man.cx/audit2allow#heading5

1 Like