Sharing a folder between a host and a guest can be a bit of a headache in Fedora or Red Hat Linux. In this article I demonstrate how to set up a shared folder with SELinux enabled.
For this article I will be using Fedora 29 as the host system and Kali Linux as the guest system.
There are four major steps to be done:
- Configure the virtual machine with a shared folder
- Set the SELinux context for the shared folder
- Create a group and add the current user and the QEMU user to it
- Mount the shared folder in your guest system
1. Configure the virtual machine with a shared folder
First, configure and install your virtual machine.
Then open your terminal or a file manager and create the folder which you want to share. In this example, I have decided to put the shared folder into my user’s home folder and call it “kvmshare”.
Next open the Virtual machine manager app, open your virtual machine’s settings and add a device.
- Choose “filesystem”
- Select type “mount”
- Select driver “Path”
- Select mode “Squash”
- Leave the write policy at “default”
- Set the source path to your shared folder on your host machine, here in my example “/home/<username>/kvmshare”
- In destination path define how the device will be called on your host machine. I chose to call it “kvmshare” as well
Save your settings by pressing “Finish”. If you try to start your machine now, you will get a “permission denied” error message. I will show how to fix this problem next.
2. Set the SELinux context for the shared folder
If your system has SELinux enabled, which is a good idea if you take security seriously, then it will prevent processes like the virtualization (qemu) from accessing resources outside their own context. That means, without proper setup, qemu will try to access a folder which is in the host user’s context. This will be prevented by SELinux.
Here is an example, how the default context for a newly created folder (test) looks like:
ls -lZd test drwxrwxr-x. 2 <username> <username> unconfined_u:object_r:user_home_t:s0 4,0K 26. Jan 22:14 test
The term label is used for the SELinux context of a file or other object on a system. The label of the folder in this context is “user_home_t”:
To find out the label to define the right context for qemu, you can consult the Red Hat Enterprise Linux Documentation, Chapter “sVirt Labeling”. It gives you an overview of the available labels.
The label we are looking for is “svirt_image_t”. The commands to set the context of the shared folder on the host are:
sudo semanage fcontext -a -t svirt_image_t "/home/<username>/kvmshare(/.*)?" restorecon /home/<username>/kvmshare
Just in case, if you want to undo the changes of the context, type these commands:
sudo semanage fcontext -D "<a folder here>(/.*)?" restorecon <a folder here>
3. Create a group and add the current user and the QEMU user to it
After setting up the shared folder’s SELinux context you might want to make sure that both the host user and the qemu user can write into it. This can be done be putting both users into a new group.
To add a new group called “kvmshare” and to put both users into it type:
sudo groupadd kvmshare sudo gpasswd -a qemu kvmshare sudo gpasswd -a <username> kvmshare
Read more details about adding users to a group in the Red Hat Enterprise Linux documentation, Chapter 3.5.2. ATTACHING USERS TO GROUPS.
Reboot your system now to apply the new group settings.
Next, change the owner group of the shared folder like this
chown :kvmshare /home/<username>/kvmshare
Finally it would be a nice touch, if all files and folders in the shared folder (no matter which group member created them) belong to the group “kvmshare”. This can be done by setting the superbit:
chmod 2770 /home/<username>/kvmshare
4. Mount the shared folder in your guest system
In your guest system create a folder to which you like to mount your shared folder (here: “/home/<someuser>/kvmshare”)
Then mount the kvmshare device (you defined it’s name as “target path” in the virtual machine management earlier) to this folder:
mount -t 9p -o trans=virtio,version=9p2000.L kvmshare /home/<someuser>/kvmshare