Bug 506250

Summary: svirt prevents symlinks to be used in disk image paths
Product: [Fedora] Fedora Reporter: Stefan Assmann <sassmann>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 11CC: berrange, clalance, crobinso, dwalsh, gczarcinski, hbrock, itamar, markmc, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-04 11:44:31 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 480594    

Description Stefan Assmann 2009-06-16 07:49:04 EDT
Description of problem:
When trying to install a new VM, selecting Local install media, and the ISO image to install from has a symbolic link for the file itself or a symbolic link is used somewhere in the path the creation will terminate with the following errors:
Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: qemu: could not open disk image /home/sassmann/extern/ISOs/Fedora-10-x86_64-DVD.iso

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1501, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 974, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: qemu: could not open disk image /home/sassmann/extern/ISOs/Fedora-10-x86_64-DVD.iso

In this example /home/sassmann/extern is a symbolic link

Version-Release number of selected component (if applicable):
virt-manager-0.7.0-5.fc11.x86_64

How reproducible:
always

Steps to Reproduce:
1. create new VM
2. select to install from ISO stored on the system that is referenced by symbolic link

  
Actual results:
creation of VM fails

Expected results:
creation of VM succeeds

Additional info:
Comment 1 Mark McLoughlin 2009-06-22 12:08:11 EDT
Any selinux messages ? '
ausearch -ts recent -m AVC'

Looks like svirt, I just did:

  $> mv /var/lib/libvirt/images /var/lib/libvirt/images2
  $> ln -s /var/lib/libvirt/images2 /var/lib/libvirt/images
  $> restorecon /var/lib/libvirt/images

and I see:

type=AVC msg=audit(1245686812.900:209): avc:  denied  { read } for  pid=23109 comm="setroubleshootd" name="images" dev=dm-1 ino=48592 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_image_t:s0 tclass=lnk_file
Comment 2 Daniel Walsh 2009-06-22 18:08:28 EDT
You can add these rules now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-57.fc11
Comment 3 Daniel Berrange 2009-08-04 11:44:31 EDT
Marking closed as per comment #2