Bug 589922
Summary: | permission denied error for NFS image, should libvirt error message mention virt_use_nfs? | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Stefan Assmann <sassmann> |
Component: | libvirt | Assignee: | Michal Privoznik <mprivozn> |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 6.0 | CC: | ajia, dallan, dyuan, eblake, gren, gsun, jialiu, mzhan, rwu, veillard, wattersm, whuang, xen-maint |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libvirt-0.9.4-13.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: SELinux policies can deny qemu opening disk image. Esp. when virt_use_nfs selinux boolean is not set.
Consequence: Qemu can't open disk image and thus refuse to start
Fix: Error message was enhanced to give user hint to set virt_use_nfs if not set
Result: If users finds himself in this situation he will observe meaningful error message giving him hint how to solve it
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 10:43:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 743047 |
Description
Stefan Assmann
2010-05-07 10:07:50 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. Is extern an NFS share or something similar? yes it is. This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. It has been denied for the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** You need to enable the virt_use_nfs selinux boolean. To do so permanently: setsebool -P virt_use_nfs=on But I think libvirt should check for this and throw an error if the boolean isn't set. If we can't reliably detect that it is required, we can at least try and tack on a 'enable virt_use_nfs' to a QEMU error if we know the image was NFS and security is dynamic selinux. (In reply to comment #7) > You need to enable the virt_use_nfs selinux boolean. To do so permanently: > > setsebool -P virt_use_nfs=on > > But I think libvirt should check for this and throw an error if the boolean > isn't set. If we can't reliably detect that it is required, we can at least try > and tack on a 'enable virt_use_nfs' to a QEMU error if we know the image was > NFS and security is dynamic selinux. Adding some text along the lines of "Perhaps you need to enable virt_use_nfs" to the error is a reasonable usability enhancement. Moving to POST: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-September/msg00314.html pkgs: # rpm -q libvirt qemu-kvm kernel libvirt-0.9.4-12.el6.x86_64 qemu-kvm-0.12.1.2-2.192.el6.x86_64 kernel-2.6.32-197.el6.x86_64 Steps: 1. prepare a domain with img file on nfs and can be started when selinux boolen virt_use_nfs was set as on 2. # setsebool virt_use_nfs off 3. start the domain # virsh start dom_test Acctual result: error: Failed to start domain dom_test error: internal error Process exited while reading console log output: char device redirected to /dev/pts/4 qemu-kvm: -drive file=/var/lib/libvirt/images/dom_test,if=none,id=drive-ide0-0-0,format=qcow2,cache=none: could not open disk image /var/lib/libvirt/images/dom_test: Permission denied Only qemu error throw out, can't find error about 'enable virt_use_nfs'. When check audit log after disable dontaudit rules # /usr/sbin/semodule -DB # ausearch -m avc ... type=SYSCALL msg=audit(1316602915.796:144096): arch=c000003e syscall=2 success=no exit=-13 a0=2ba0f20 a1=84002 a2=0 a3=48 items=0 ppid=1 pid=16539 auid=500 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c230,c691 key=(null) type=AVC msg=audit(1316602915.796:144096): avc: denied { read write } for pid=16539 comm="qemu-kvm" name="dom_test" dev=0:15 ino=19346460 scontext=system_u:system_r:svirt_t:s0:c230,c691 tcontext=system_u:object_r:nfs_t:s0 tclass=file ... So, this not fixed. Moving to POST: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-September/msg00785.html pkgs: # rpm -q libvirt qemu-kvm kernel libvirt-0.9.4-13.el6.x86_64 qemu-kvm-0.12.1.2-2.192.el6.x86_64 kernel-2.6.32-201.el6.x86_64 set log_outputs="1:file:/tmp/libvirtd.log" in /etc/libvirt/libvirtd.conf and restart libvirt Follow steps in #c15 Acctual result: 15:50:51.660: 26844: info : libvirt version: 0.9.4, package: 13.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2011-09-25-23:54:54, hs20-bc2-4.build.redhat.com) 15:50:51.660: 26844: warning : SELinuxSetFilecon:436 : Setting security context 'system_u:object_r:svirt_image_t:s0:c370,c1013' on '/var/lib/libvirt/images/rhel6' not supported. Consider setting virt_use_nfs 15:50:51.760: 26844: error : qemuProcessReadLogOutput:966 : internal error Process exited while reading console log output: char device redirected to /dev/pts/11 qemu-kvm: -drive file=/var/lib/libvirt/images/rhel6,if=none,id=drive-ide0-0-0,format=raw,cache=none: could not open disk image /var/lib/libvirt/images/rhel6: Permission denied 15:50:51.844: 26844: warning : SELinuxSetFilecon:436 : Setting security context 'system_u:object_r:virt_image_t:s0' on '/var/lib/libvirt/images/rhel6' not supported. Consider setting virt_use_nfs Warning msg was logged, so this is fixed. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: SELinux policies can deny qemu opening disk image. Esp. when virt_use_nfs selinux boolean is not set. Consequence: Qemu can't open disk image and thus refuse to start Fix: Error message was enhanced to give user hint to set virt_use_nfs if not set Result: If users finds himself in this situation he will observe meaningful error message giving him hint how to solve it Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1513.html Six years later and this is still a problem. virt_use_nfs should be on by default or virt-manager needs to show more useful error messages. I just fixed this on a system running Fedora 25 and the error messages shown said nothing about SELinux. audit2why and audit2allow also did not show anything regarding SELinux booleans. |