I am trying to set up a shared folder using the 9p protocol for a kvm/qemu VM that runs on the user session (so the qemu process runs as me, not as root). Mounting the shared folder in guest works fine, I can see and read all files, but I cannot create new or change existing files. This results simply in "permission denied" as if i had no write permissions to the files, although ls -l in the guest confirms I should.
I know it is a SELinux labelling problem on the host. When I set SELinux to permissive mode using setenforce 0, creating and changing files works fine. I also figured out I need to set an appropriate label for the shared folder on the host. What I cannot figure out is what the correct label is. I seem to be missin the correct label, and I also believe MCS is playing a role here.
What I currently have:
[root@host]# semanage fcontext -l |grep simon
/home/simon/Documents/shared_folder(/.*)? all files unconfined_u:object_r:virt_content_t:s0
Here's what the qemu process has:
[simon@host]$ ps -elfyZ|grep qemu
unconfined_u:unconfined_r:svirt_t:s0:c317,c827 S simon 12347 3560 1 80 0 552552 2413575 - 10:11 ? 00:00:15 /usr/bin/qemu-system-x86_64 -name guest=debian10-dev_default... (lots of flags)
On the guest I have:
vagrant@debian-10:/vagrant$ whoami
vagrant
vagrant@debian-10:/vagrant$ ls -la /vagrant
total 24
drwxrwxr-x 3 vagrant vagrant 4096 Feb 13 09:12 .
drwxr-xr-x 20 root root 4096 Jan 31 19:26 ..
drwxrwxr-x 4 vagrant vagrant 4096 Jan 22 16:20 .vagrant
-rw-rw-r-- 1 vagrant vagrant 1186 Feb 13 09:10 Vagrantfile
vagrant@debian-10:/vagrant$ mount | grep 9p
4ef5af6232a6a6d0dbdc1b2b9199253 on /vagrant type 9p (rw,relatime,sync,dirsync,access=1000,trans=virtio)
User ID 1000 is simon's user ID on the host. The host runs Fedora Workstation 32, the guest is Debian 10.
Any help is greatly appreciated!
