Bug 491245

Summary: SELinux prevented qemu-kvm from reading an LVM logical volume
Product: [Fedora] Fedora Reporter: Robert Story <rs>
Component: virt-managerAssignee: Daniel Berrangé <berrange>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: berrange, crobinso, dwalsh, hbrock, jkubin, markmc, pcfe, quintela, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 453938 Environment:
Last Closed: 2009-03-25 18:11:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Story 2009-03-20 01:34:32 UTC 
+++ This bug was initially created as a clone of Bug #453938 +++

This bit me today on f10... virt-manager does not try to fix they lvm context, and it appears that this AVC is "don't audit"-ed, because I didn't not get any avcs. I just happened to search for closed bugs.  At the very least, when creating a new vm via virt-manager, it should check the context and warn the user if the type isn't right. Right now, all it does is spew a python error and fail very ungracefully.

Description of problem:
> SELinux is preventing qemu-kvm (qemu_t) "getattr" to
/dev/mapper/Volumes-OldWindowsBackup (fixed_disk_device_t). 

Version-Release number:
virt-manager                 i386     0.6.0-5.fc10

Steps to Reproduce:
1. create a fresh LVM volume and initialize it with some file system
2. add its device file (in /dev/mapper/...) to a QEMU virtual machine as a
storage device (type 'Normal Disk Partition')
3. try to start that virtual machine
  
Actual results:
SELinux denies access as mentioned above. Virtual machine cannot start.

--- Additional comment from dwalsh on 2008-07-03 11:26:39 EDT ---

In order to get SELinux to work with qemu, you need to make sure this disk is
labeled correctly.

# semanage fcontext -a -t virt_image_t /dev/mapper/Volumes-OldWindowsBackup
# restorecon /dev/mapper/Volumes-OldWindowsBackup

Should allow you to run in enforcingm mode.

Hopefully virtmanager will start doing this automatically.
Comment 1 Mark McLoughlin 2009-03-25 16:43:50 UTC 
dwalsh: would something like your patch in #491052 be appropriate here?
Comment 2 Daniel Walsh 2009-03-25 17:21:16 UTC 
No this is a case where libvirt has to take over.  A non priv user would not be allowed to set the context on the volume.  You would need to be root.

libvirt in rawhide would label the device correctly and this would just work.
Comment 3 Mark McLoughlin 2009-03-25 18:11:20 UTC 
Okay, sounds like this is fixed in rawhide - closing as such
Comment 4 Mark McLoughlin 2009-03-25 18:11:22 UTC 
*** Bug 474182 has been marked as a duplicate of this bug. ***