Virt-manager and shared folder host/guest permission issue?

cltnt · December 9, 2020, 11:08pm

Hi guys. I am using Fedora 33 with virt-manager/qemu/libvirt. I have few Linux guests, but all of them have same issue with sharing the folder on host with the guest. It seems that SELinux is causing these problems. I will write in short the performed steps:

The folder I want to share is located in my $HOME/Downloads.
I add it using virt-manager interface as new filesystem (tried both - mapped and squash). When I try to start VM I get the long error reported. Pastebin link below:

https://pastebin.com/wKaQra8v

At the same time with this error, SELinux reports an issue and makes proposal of following solution when clicked on Troubleshoot:

You need to change the label on vmshared’
semanage fcontext -a -t virt_image_t ‘vmshared’
restorecon -v ‘vmshared’
I perform it as suggested, but again the same issue remains and SELinux again reports the same.
Permissions: tried them all, including chmod-ing the folder with 777 and putting it in libvirt group.

I read about Samba solution, did not try it and would like to skip it.

Thank you for your effort.

vgaetera · December 13, 2020, 5:04am

The context svirt_home_t seems to be working.

Libvirt virt-manager filesystem mode passthrough unavailable

cltnt · December 11, 2020, 9:50pm

Thank you very much @vgaetera.

I used the link you provided, but the only change that allowed me to launch VM and avoid warnings was to modify security line to “none” instead of default/set “selinux” in /etc/libvirt/qemu.conf.

Now I have an issue to mount the shared folder on guest. Either I do not understand or I am too tired at the moment. Modules 9p (_virtio and others) are loaded on guest. When I try:

mount -t 9p -o trans=virtio [mount tag] [mount point] -oversion=9p2000.L

In my case: source path parameter (in virt-manager) is $HOME/Download/shared and target path is /media/fshared. Whichever combo I try, it reports that such mount point/directory does not exist.

vgaetera · December 15, 2020, 9:24pm

This way works for me:

sudo mkdir -p /mnt/shared
sudo chmod -R a+rwX /mnt/shared
sudo semanage fcontext -a -t svirt_home_t "/mnt/shared(/.*)?"
sudo restorecon -R /mnt/shared
tee fs.xml << EOF > /dev/null
<filesystem type='mount' accessmode='mapped'>
<source dir='/mnt/shared'/>
<target dir='shared'/>
</filesystem>
EOF
virsh shutdown vm
virsh attach-device vm fs.xml --config
virsh start vm
ssh vm
sudo mkdir -p /mnt/shared
sudo tee -a /etc/fstab << EOF > /dev/null
shared /mnt/shared 9p trans=virtio 0 0
EOF
sudo mount -a

cltnt · December 13, 2020, 11:35pm

@vgaetera Thank you very much, really appreciate your effort.

It works now, but again there were selinux issues (same error as before), however with line “security-driver” set to “none” in /etc/libvirt/qemu.conf VM boots and this works flawlessly.

vgaetera · December 14, 2020, 3:41am

Can you post the related AVC message and SELinux context?

journalctl --no-pager -g avc
ls -l -d -Z /shared/dir
sudo semanage fcontext -l | grep -e /shared/dir

cltnt · December 14, 2020, 10:10pm

$ sudo journalctl --no-pager -g avc
Dec 14 23:07:25 muffley audit[4397]: AVC avc: denied { read } for pid=4397 comm=“qemu-system-x86” name=“shared” dev=“dm-1” ino=921433 scontext=system_u:system_r:svirt_t:s0:c324,c370 tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=dir permissive=0
Dec 14 23:07:30 muffley sudo[4468]: kuki : TTY=pts/0 ; PWD=/home/kuki ; USER=root ; COMMAND=/usr/bin/journalctl --no-pager -g avc

$ ls -l -d -Z /shared/dir
drwxrwxrwx. 2 kuki libvirt unconfined_u:object_r:virt_image_t:s0 4096 Dec 14 00:36 Downloads/shared//

$ sudo semanage fcontext -l | grep -e shared
/home/kuki/Downloads/shared all files system_u:object_r:virt_image_t:s0
/home/kuki/Downloads/shared(/.)? all files system_u:object_r:svirt_home_t:s0
/usr/lib/systemd/libsystemd-shared-[0-9]+.so. regular file system_u:object_r:lib_t:s0
vmshared all files system_u:object_r:svirt_image_t:s0

vgaetera · December 15, 2020, 9:24pm

sudo semanage fcontext -d -t virt_image_t /home/kuki/Downloads/shared
sudo restorecon -R /home/kuki/Downloads/shared
ls -l -d -Z /home/kuki/Downloads/shared

cltnt · December 15, 2020, 9:28pm

$ ls -l -d -Z /home/kuki/Downloads/shared
drwxrwxrwx. 2 kuki libvirt unconfined_u:object_r:svirt_home_t:s0 4096 Dec 15 22:23 /home/kuki/Downloads/shared/

Yeap, this definetely solved it. Now it works without qemu.conf modification. Kudos and thank you very much.

system · January 12, 2021, 9:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.