diff --git a/crates/kit/src/credentials.rs b/crates/kit/src/credentials.rs
index c66f86b..c9df7e1 100644
--- a/crates/kit/src/credentials.rs
+++ b/crates/kit/src/credentials.rs
@@ -37,12 +37,12 @@ pub fn guest_path_to_unit_name(guest_path: &str) -> String {
 /// Creates a systemd mount unit that mounts a virtiofs filesystem at the specified
 /// guest path. The unit is configured to:
 /// - Mount type: virtiofs
-/// - Options: Include readonly flag if specified
-/// - TimeoutSec=10: Fail quickly if mount hangs instead of blocking boot
-/// - DefaultDependencies=no to avoid ordering cycles
-/// - Before=local-fs.target and After=systemd-remount-fs.service
+/// - Options: Include readonly flag if specified, plus SELinux context for RO mounts
+/// - Before=remote-fs.target to integrate with standard systemd mount ordering
 ///
-/// Note: systemd automatically creates mount point directories, so DirectoryMode is not needed
+/// We use remote-fs.target rather than local-fs.target because virtiofs is
+/// conceptually similar to a "remote" filesystem - it requires virtio transport
+/// infrastructure to be available, similar to how NFS requires network.
 ///
 /// Returns the complete unit file content as a string
 pub fn generate_virtiofs_mount_unit(
@@ -63,10 +63,7 @@ pub fn generate_virtiofs_mount_unit(
         "[Unit]\n\
          Description=Mount virtiofs tag {tag} at {path}\n\
          ConditionPathExists=!/etc/initrd-release\n\
-         DefaultDependencies=no\n\
-         Conflicts=umount.target\n\
-         Before=local-fs.target umount.target\n\
-         After=systemd-remount-fs.service\n\
+         Before=remote-fs.target\n\
          \n\
          [Mount]\n\
          What={tag}\n\
diff --git a/crates/kit/src/libvirt/run.rs b/crates/kit/src/libvirt/run.rs
index 2353cf6..a466c60 100644
--- a/crates/kit/src/libvirt/run.rs
+++ b/crates/kit/src/libvirt/run.rs
@@ -1244,14 +1244,15 @@ fn create_libvirt_domain_from_disk(
         );
     }
 
-    // Create a single dropin for local-fs.target that wants all mount units
-    // This must be done AFTER all mount units have been added (including bind-storage-ro)
+    // Create a dropin for remote-fs.target that wants all virtiofs mount units.
+    // We use remote-fs.target because virtiofs is conceptually similar to a remote
+    // filesystem - it requires virtio transport infrastructure, like NFS needs network.
     if !mount_unit_names.is_empty() {
         let wants_list = mount_unit_names.join(" ");
         let dropin_content = format!("[Unit]\nWants={}\n", wants_list);
         let encoded_dropin = data_encoding::BASE64.encode(dropin_content.as_bytes());
         let dropin_cred = format!(
-            "io.systemd.credential.binary:systemd.unit-dropin.local-fs.target~bcvk-mounts={encoded_dropin}"
+            "io.systemd.credential.binary:systemd.unit-dropin.remote-fs.target~bcvk-mounts={encoded_dropin}"
         );
         smbios_creds.push(dropin_cred);
     }