Fedora – How to make ACL settings on /run/media/* persistent

aclfedoralibvirtqemuvirt-manager

I have various virtual machines running as guests on a Fedora 25 Workstation host. I store virtual disks (and all other personal stuff) on different separate partitions on a second built-in disk. virt-managerruns the virtual machines as qemu user and, in order to boot the disks, I need to execute:

sudo setfacl -R -m u:qemu:rwx /run/media/cl

This lets the qemu user use those virtual disks to boot the VMs. However, if I reboot the host system, the ACL settings are lost and I have to run that command again. When I am using an Ubuntu system as host, the command only needs to be run once and the permission changes survive subsequent reboots.

What can be done to make Red Hat based systems remember the modified ACL settings after reboots as Ubuntu does?

Best Answer

It's a hack, but you could just write a quick systemd service to run it on startup, perhaps in /etc/systemd/system/set-qemu-acl.service.

[Unit]
 Description=QEMU ACL Hack
 Requires=local-fs.target
 After=local-fs.target

[Service]
 ExecStart=/usr/bin/setfacl -R -m u:qemu:rwx /run/media/cl

[Install]
 WantedBy=multi-user.target

Then, just enable it.

sudo systemctl enable set-qemu-acl.service

You could also just stick a line in the system cron table.

* * * * * root /usr/bin/getfacl /run/media/cl | grep 'user:qemu:rwx' || /usr/bin/setfacl -R -m u:qemu:rwx /run/media/cl

Or since you're manually mounting, a wrapper script could do it for you, maybe /usr/local/bin/mount-acl.

#!/bin/sh
mount $1 $2
setfacl -R -m u:qemu:rwx $2

Then, just sudo mount-acl /dev/partition /run/media/wherever would get you where you want to go, wouldn't it?

Related Question