Bug 589922

Summary: permission denied error for NFS image, should libvirt error message mention virt_use_nfs?
Product: Red Hat Enterprise Linux 6 Reporter: Stefan Assmann <sassmann>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: ajia, dallan, dyuan, eblake, gren, gsun, jialiu, mzhan, rwu, veillard, wattersm, whuang, xen-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-0.9.4-13.el6 Doc Type: Bug Fix
Doc Text:
Cause: SELinux policies can deny qemu opening disk image. Esp. when virt_use_nfs selinux boolean is not set. Consequence: Qemu can't open disk image and thus refuse to start Fix: Error message was enhanced to give user hint to set virt_use_nfs if not set Result: If users finds himself in this situation he will observe meaningful error message giving him hint how to solve it
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:43:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 743047    

Description Stefan Assmann 2010-05-07 10:07:50 UTC
Description of problem:
After a test installation of RHEL6 in a VM I deleted the VM but kept the image file on disk to reuse it for another installation.

In Step 4 of "Create a new virtual machine" I re-selected the already existing image. When I try to finish the creation of the VM the following error appears:

Unable to complete install '<class 'libvirt.libvirtError'> internal error Process exited while reading console log output: char device redirected to /dev/pts/4
qemu: could not open disk image /extern/images/RHEL6.img: Permission denied

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1553, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 972, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 1037, in _do_install
    "install")
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 1008, in _create_guest
    dom = self.conn.createLinux(start_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 1202, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error Process exited while reading console log output: char device redirected to /dev/pts/4
qemu: could not open disk image /extern/images/RHEL6.img: Permission denied

Version-Release number of selected component (if applicable):
virt-manager-0.8.4-1.el6.noarch

How reproducible:
happened once so far

Actual results:
virt-manager couldn't reuse the existing image

Expected results:
virt-manager can reuse an existing image

Comment 2 RHEL Program Management 2010-05-07 11:31:30 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 3 Cole Robinson 2010-05-11 19:03:20 UTC
Is extern an NFS share or something similar?

Comment 4 Stefan Assmann 2010-05-12 06:36:17 UTC
yes it is.

Comment 5 RHEL Program Management 2010-07-15 14:07:21 UTC
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release. It has
been denied for the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 7 Cole Robinson 2010-12-01 16:26:02 UTC
You need to enable the virt_use_nfs selinux boolean. To do so permanently:

setsebool -P virt_use_nfs=on

But I think libvirt should check for this and throw an error if the boolean isn't set. If we can't reliably detect that it is required, we can at least try and tack on a 'enable virt_use_nfs' to a QEMU error if we know the image was NFS and security is dynamic selinux.

Comment 10 Dave Allan 2011-06-21 03:31:57 UTC
(In reply to comment #7)
> You need to enable the virt_use_nfs selinux boolean. To do so permanently:
> 
> setsebool -P virt_use_nfs=on
> 
> But I think libvirt should check for this and throw an error if the boolean
> isn't set. If we can't reliably detect that it is required, we can at least try
> and tack on a 'enable virt_use_nfs' to a QEMU error if we know the image was
> NFS and security is dynamic selinux.

Adding some text along the lines of "Perhaps you need to enable virt_use_nfs" to the error is a reasonable usability enhancement.

Comment 15 Wayne Sun 2011-09-21 11:16:11 UTC
pkgs:
# rpm -q libvirt qemu-kvm kernel
libvirt-0.9.4-12.el6.x86_64
qemu-kvm-0.12.1.2-2.192.el6.x86_64
kernel-2.6.32-197.el6.x86_64

Steps:
1. prepare a domain with img file on nfs and can be started when selinux boolen virt_use_nfs was set as on
2. # setsebool virt_use_nfs off
3. start the domain
  # virsh start dom_test

Acctual result:
error: Failed to start domain dom_test
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/4
qemu-kvm: -drive file=/var/lib/libvirt/images/dom_test,if=none,id=drive-ide0-0-0,format=qcow2,cache=none: could not open disk image /var/lib/libvirt/images/dom_test: Permission denied

Only qemu error throw out, can't find error about 'enable virt_use_nfs'.

When check audit log after disable dontaudit rules
# /usr/sbin/semodule -DB
# ausearch -m avc
...
type=SYSCALL msg=audit(1316602915.796:144096): arch=c000003e syscall=2 success=no exit=-13 a0=2ba0f20 a1=84002 a2=0 a3=48 items=0 ppid=1 pid=16539 auid=500 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c230,c691 key=(null)
type=AVC msg=audit(1316602915.796:144096): avc:  denied  { read write } for  pid=16539 comm="qemu-kvm" name="dom_test" dev=0:15 ino=19346460 scontext=system_u:system_r:svirt_t:s0:c230,c691 tcontext=system_u:object_r:nfs_t:s0 tclass=file
...

So, this not fixed.

Comment 17 Wayne Sun 2011-09-27 08:01:05 UTC
pkgs:
# rpm -q libvirt qemu-kvm kernel
libvirt-0.9.4-13.el6.x86_64
qemu-kvm-0.12.1.2-2.192.el6.x86_64
kernel-2.6.32-201.el6.x86_64

set log_outputs="1:file:/tmp/libvirtd.log" in /etc/libvirt/libvirtd.conf and restart libvirt

Follow steps in #c15

Acctual result:


15:50:51.660: 26844: info : libvirt version: 0.9.4, package: 13.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2011-09-25-23:54:54, hs20-bc2-4.build.redhat.com)
15:50:51.660: 26844: warning : SELinuxSetFilecon:436 : Setting security context 'system_u:object_r:svirt_image_t:s0:c370,c1013' on '/var/lib/libvirt/images/rhel6' not supported. Consider setting virt_use_nfs
15:50:51.760: 26844: error : qemuProcessReadLogOutput:966 : internal error Process exited while reading console log output: char device redirected to /dev/pts/11
qemu-kvm: -drive file=/var/lib/libvirt/images/rhel6,if=none,id=drive-ide0-0-0,format=raw,cache=none: could not open disk image /var/lib/libvirt/images/rhel6: Permission denied

15:50:51.844: 26844: warning : SELinuxSetFilecon:436 : Setting security context 'system_u:object_r:virt_image_t:s0' on '/var/lib/libvirt/images/rhel6' not supported. Consider setting virt_use_nfs



Warning msg was logged, so this is fixed.

Comment 18 Michal Privoznik 2011-11-11 08:36:35 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: SELinux policies can deny qemu opening disk image. Esp. when virt_use_nfs selinux boolean is not set.

Consequence: Qemu can't open disk image and thus refuse to start

Fix: Error message was enhanced to give user hint to set virt_use_nfs if not set

Result: If users finds himself in this situation he will observe meaningful error message giving him hint how to solve it

Comment 19 errata-xmlrpc 2011-12-06 10:43:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1513.html

Comment 20 Michael Watters 2017-03-21 13:50:00 UTC
Six years later and this is still a problem.  virt_use_nfs should be on by default or virt-manager needs to show more useful error messages.  I just fixed this on a system running Fedora 25 and the error messages shown said nothing about SELinux.  audit2why and audit2allow also did not show anything regarding SELinux booleans.