Skip to content

virtiofs: Set SELinux context on readonly mounts #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 24, 2025
Merged

virtiofs: Set SELinux context on readonly mounts #159

merged 1 commit into from
Nov 24, 2025
+22 −8

Conversation

@cgwalters
Copy link
Collaborator

@cgwalters cgwalters commented Nov 21, 2025

Apply system_u:object_r:usr_t:s0 context to readonly virtiofs mounts to avoid SELinux denials when accessing them as container storage. This allows readonly bind mounts to work correctly with podman.

The function was renamed from generate_mount_unit to generate_virtiofs_mount_unit for clarity.

Assisted-by: Claude Code (Sonnet 4.5)

@cgwalters cgwalters mentioned this pull request Nov 21, 2025
Open
gemini-code-assist[bot]
gemini-code-assist bot reviewed Nov 21, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a default SELinux context for readonly virtiofs mounts to resolve issues with container storage. The change is well-contained and also includes a function rename from generate_mount_unit to generate_virtiofs_mount_unit for better clarity. My review focuses on the hardcoded SELinux context, suggesting an improvement to make it more maintainable by using a constant. Overall, this is a good improvement.

@cgwalters
virtiofs: Set SELinux context on readonly mounts
36367a3 
Apply system_u:object_r:usr_t:s0 context to readonly virtiofs mounts
to avoid SELinux denials when accessing them as container storage.
This allows readonly bind mounts to work correctly with podman.

The function was renamed from generate_mount_unit to
generate_virtiofs_mount_unit for clarity.

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters force-pushed the bind-storage-ro-selinux branch from cf26e0f to 36367a3 Compare November 21, 2025 21:55
@cgwalters cgwalters enabled auto-merge (rebase) November 24, 2025 13:33
@cgwalters cgwalters merged commit a5a9c4b into bootc-dev:main Nov 24, 2025
11 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ckyrouac ckyrouac ckyrouac approved these changes

@gursewak1997 gursewak1997 Awaiting requested review from gursewak1997

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cgwalters @ckyrouac