qemu-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-discuss] SELinux denying qemu-kvm mounted storage pool access

From: Wesley Holevinski
Subject: [Qemu-discuss] SELinux denying qemu-kvm mounted storage pool access
Date: Wed, 19 Mar 2014 18:21:49 +0000
Hi,

My problem is as follows:

Trying to run virt-install against an image stored on a separately mounted disk results in "could not open disk image /var/lib/libvirt/images/autowin32.qcow2: Permission denied"

My mount point for /dev/sdb is /var/lib/libvirt/images.  I mount with with the _exact_ same context that the directory has prior to mounting.  (Also, don't panic about the -t ocfs2; it's a a local ocfs2, so there's no clustering or network at play here. AFIAK it can be treated like ext4)

Pre-mount:

  drwxr-xr-x. root root unconfined_u:object_r:virt_image_t:s0 images

Mount command:

  mount /dev/sdb /var/lib/libvirt/images/ -t ocfs2 -o data="">
Post-mount:

  drwxr-xr-x. root root unconfined_u:object_r:virt_image_t:s0 images

Image files pre and post mount as well:

  Pre-mount (virt-install will work fine here):

    qemu-img create -f qcow2 -o preallocation=metadata /var/lib/libvirt/images/autowin32.qcow2 10000m
    -rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 autowin32.qcow2

  Post-mount:

    qemu-img create -f qcow2 -o preallocation=metadata /var/lib/libvirt/images/autowin32.qcow2 10000m
    -rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 autowin32.qcow2

>From the post-mount scenario, while trying to virt-install, I'll get:

  qemu-kvm: -drive file=/var/lib/libvirt/images/autowin32.qcow2,if=none,id=drive-ide0-0-0,format=qcow2,cache=none: could not open disk image /var/lib/libvirt/images/autowin32.qcow2: Permission denied

Setting SELinux to permissive will allow this, but you'll still see various avc-denies in the logs:

  type=AVC msg=audit(1395279890.238:1020): avc:  denied  { read } for  pid=4952 comm="qemu-kvm" name="autowin32.qcow2" dev=sdb ino=563715 scontext=system_u:system_r:svirt_t:s0:c195,c926 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
  type=AVC msg=audit(1395279890.238:1020): avc:  denied  { open } for  pid=4952 comm="qemu-kvm" name="autowin32.qcow2" dev=sdb ino=563715 scontext=system_u:system_r:svirt_t:s0:c195,c926 tcontext=system_u:object_r:virt_image_t:s0 tclass=file

etc etc...

I've also tried manually adding labels with semanage and doing a restorecon on the proper paths after mounting the 2nd drive, but those yielded the same error.

Does anyone have experience with a similar situation?  Am I missing something when setting the context of the second drive?

Relevant version:

libvirt-0.10.2-29.el6_5.5.x86_64
qemu-kvm-0.12.1.2-2.415.el6_5.6.x86_64
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch

Thanks!
Wes


reply via email to
[Prev in Thread] Current Thread [Next in Thread]