Bug 617096

Summary: fail to start the guest on pool without svirt configuration after conversion(rhel 6)
Product: Red Hat Enterprise Linux 6 Reporter: Mohua Li <moli>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED NOTABUG QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: berrange, cshao, dwalsh, eblake, leiwang, llim, mbooth, moli, mshao, rwu, xen-maint
Target Milestone: rcKeywords: RHELNAK, TestBlocker
Target Release: ---Flags: moli: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-11 06:06:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mohua Li 2010-07-22 07:33:46 UTC
Description of problem:
after conversion to the libvirt pool, we could find the domain with virsh list --all, start the guest fail, with error message below,but on rhel5, with the same configuration, we won't met such error,
after compare with the guest running on rhel6, we found missing the configuration of svirt, like below,

  <seclabel type='static' model='selinux'>
    <label>system_u:object_r:svirt_image_t:s0:c520,c575</label>
  </seclabel>
</domain>


below is the detail,



root@dhcp-66-70-73 ~]# virsh list --all

 Id Name                 State

----------------------------------

  - ESX3.5-RHEL3.9-i386  shut off

  - ESX3.5-RHEL4.8-i386  shut off

  - ESX3.5-RHEL4.8-x86_64 shut off

  - ESX3.5-RHEL5.4-i386  shut off

  - ESX3.5-RHEL5.4-x86_64 shut off

  - ESX3.5-RHEL5.5-i386  shut off

  - ESX4.0-RHEL3.9-i386  shut off

  - ESX4.0-RHEL4.8-x86_64 shut off

  - ESX4.0-RHEL5.4-i386  shut off

  - ESX4.0-RHEL5.4-x86_64 shut off

  - ESX4.0-RHEL5.5-x86_64 shut off

  - rhel3u9-32b-hv-raw-intel shut off

  - rhel3u9-64b-hv-raw-intel shut off

  - rhel5u4-32b-hv-raw-intel shut off

  - rhel5u4-64b-hv-raw-intel shut off

start the guest fail, with error message below,but on rhel5, with the same configuration, we won't met such error,

[root@dhcp-66-70-73 ~]# virsh start ESX3.5-RHEL5.4-x86_64

error: Failed to start domain ESX3.5-RHEL5.4-x86_64

error: internal error Process exited while reading console log output: char device redirected to /dev/pts/5

qemu: could not open disk image /root/esx3/ESX35-RHEL5U4-x86_64-noxen-smp_ESX35-RHEL5U4-x86_64-noxen-smp: Permission denied

/var/log/libvirt/qemu,

LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/libexec/qemu-kvm -S -M rhel6.0.0 -enable-kvm -m 384 -smp 1,sockets=1,cores=1,threads=1 -name ESX3.5-RHEL5.4-x86_64 -uuid 564ddc8a-93a0-b0b8-a93a-b787d9ec8994 -nodefconfig -nodefaults -chardev socket,id=monitor,path=/var/lib/libvirt/qemu/ESX3.5-RHEL5.4-x86_64.monitor,server,nowait -mon chardev=monitor,mode=control -rtc base=utc -boot c -drive file=/root/esx3/ESX35-RHEL5U4-x86_64-noxen-smp_ESX35-RHEL5U4-x86_64-noxen-smp,if=none,id=drive-virtio-disk0,boot=on,format=raw -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0 -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=27 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:0c:29:ec:89:94,bus=pci.0,addr=0x5 -chardev pty,id=serial0 -device isa-serial,chardev=serial0 -usb -device usb-tablet,id=input0 -vnc 127.0.0.1:0 -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3

char device redirected to /dev/pts/5

qemu: could not open disk image /root/esx3/ESX35-RHEL5U4-x86_64-noxen-smp_ESX35-RHEL5U4-x86_64-noxen-smp: Permission denied

[root@dhcp-66-70-73 ~]# ll /root/esx3/ESX35-RHEL5U4-x86_64-noxen-smp_ESX35-RHEL5U4-x86_64-noxen-smp

-rw-------. 1 root root 10737418240 Jul 22 04:25 /root/esx3/ESX35-RHEL5U4-x86_64-noxen-smp_ESX35-RHEL5U4-x86_64-noxen-smp

here is the description file of the guest, after compare with the guest running on rhel6, we found missing the configuration of svirt,

[root@dhcp-66-70-73 qemu]# virsh dumpxml ESX3.5-RHEL5.4-x86_64

<domain type='kvm'>

  <name>ESX3.5-RHEL5.4-x86_64</name>

  <uuid>564ddc8a-93a0-b0b8-a93a-b787d9ec8994</uuid>

  <memory>393216</memory>

  <currentMemory>393216</currentMemory>

  <vcpu>1</vcpu>

  <os>

    <type arch='x86_64' machine='rhel6.0.0'>hvm</type>

    <boot dev='hd'/>

  </os>

  <features>

    <acpi/>

    <apic/>

  </features>

  <clock offset='utc'/>

  <on_poweroff>destroy</on_poweroff>

  <on_reboot>restart</on_reboot>

  <on_crash>destroy</on_crash>

  <devices>

    <emulator>/usr/libexec/qemu-kvm</emulator>

    <disk type='file' device='disk'>

      <driver name='qemu' type='raw'/>

      <source file='/root/esx3/ESX35-RHEL5U4-x86_64-noxen-smp_ESX35-RHEL5U4-x86_64-noxen-smp'/>

      <target dev='vda' bus='virtio'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>

    </disk>

    <interface type='network'>

      <mac address='00:0c:29:ec:89:94'/>

      <source network='default'/>

      <target dev='vnet0'/>

      <model type='virtio'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>

    </interface>

    <serial type='pty'>

      <target port='0'/>

    </serial>

    <console type='pty'>

      <target port='0'/>

    </console>

    <input type='tablet' bus='usb'/>

    <input type='mouse' bus='ps2'/>

    <graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1'/>

    <video>

      <model type='cirrus' vram='9216' heads='1'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>

    </video>

  </devices>

</domain>

after adding these things to the xml file, we won't met the error again,

  <seclabel type='static' model='selinux'>

    <label>system_u:object_r:svirt_image_t:s0:c520,c575</label>

  </seclabel>

</domain> 

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1.convert the guest to libvirt pool
2.try to start the guest with virsh command
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Mohua Li 2010-07-22 07:40:01 UTC
tested version as below,

[root@dhcp-66-70-73 qemu]# rpm -qa libguestfs
libguestfs-1.2.7-1.16.el6.x86_64
[root@dhcp-66-70-73 qemu]# rpm -qa libvirt
libvirt-0.8.1-15.el6.x86_64
[root@dhcp-66-70-73 qemu]# rpm -qa virt-v2v
virt-v2v-0.6.1-1.el6.x86_64

Comment 3 Mohua Li 2010-07-22 07:56:27 UTC
this bug will make all the guests fail to start on libvirt pool, so set the keywords TestBlocker.

Comment 4 RHEL Program Management 2010-07-22 07:57:54 UTC
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 7 Matthew Booth 2010-08-05 13:48:38 UTC
I've been trying to work out why I couldn't replicate this. I've asked around, and the suggestion is that the issue is where the images have been placed: namely in a directory under /root. This directory will not have a correct SELinux label by default, and may not have appropriate DAC permissions either.

Can you please try again using a directory pool under /var/lib/libvirt/images as the target. Either way, could you please post any related AVC denials from the audit log to this bug?

Comment 8 Matthew Booth 2010-08-05 13:50:53 UTC
I'm moving this over to libvirt as it doesn't appear to relate to virt-v2v. I'm also not convinced it's a bug, but I'll let somebody more authoritative make that determination.

Comment 9 Mohua Li 2010-08-06 01:48:01 UTC
(In reply to comment #7)
> I've been trying to work out why I couldn't replicate this. I've asked around,
> and the suggestion is that the issue is where the images have been placed:
> namely in a directory under /root. This directory will not have a correct
> SELinux label by default, and may not have appropriate DAC permissions either.
> 
> Can you please try again using a directory pool under /var/lib/libvirt/images
> as the target. Either way, could you please post any related AVC denials from
> the audit log to this bug?    

actually, i also try some pools on /var/lib/libvirt/images, also have such issues, i will post the audit log for AVC denials later,

Comment 10 Mohua Li 2010-08-06 03:06:28 UTC
(In reply to comment #9)
> (In reply to comment #7)
> > I've been trying to work out why I couldn't replicate this. I've asked around,
> > and the suggestion is that the issue is where the images have been placed:
> > namely in a directory under /root. This directory will not have a correct
> > SELinux label by default, and may not have appropriate DAC permissions either.
> > 
> > Can you please try again using a directory pool under /var/lib/libvirt/images
> > as the target. Either way, could you please post any related AVC denials from
> > the audit log to this bug?    
> 
> actually, i also try some pools on /var/lib/libvirt/images, also have such
> issues, i will post the audit log for AVC denials later,    

audit.log, 

for virsh start domain output,

type=ANOM_PROMISCUOUS msg=audit(1281064234.033:77): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1281064234.033:77): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef25632ae0 a3=7 items=0 ppid=1 pid=8404 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1281064234.186:78): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295
type=ANOM_PROMISCUOUS msg=audit(1281064240.574:79): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1281064240.574:79): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef27e36ae0 a3=361dd7a14c items=0 ppid=1 pid=8400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1281064240.806:80): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295

/var/log/messages,

for virsh start $domain output,

Aug  6 11:10:34 dhcp-66-70-73 libvirtd: 11:10:34.267: error : qemudReadLogOutput:2313 : internal error Process exited while reading console log output: char device redirected to /dev/pts/1#012qemu: could not open disk image /root/esx4/ESXi4_Linux_ESX4-RHEL3U9-i386_ESX4-RHEL3U9-i386: Permission denied#012
Aug  6 11:10:40 dhcp-66-70-73 kernel: device vnet0 entered promiscuous mode
Aug  6 11:10:40 dhcp-66-70-73 kernel: virbr0: topology change detected, propagating
Aug  6 11:10:40 dhcp-66-70-73 kernel: virbr0: port 1(vnet0) entering forwarding state
Aug  6 11:10:40 dhcp-66-70-73 NetworkManager[7911]: <warn> /sys/devices/virtual/net/vnet0: couldn't determine device driver; ignoring...
Aug  6 11:10:40 dhcp-66-70-73 kernel: virbr0: port 1(vnet0) entering disabled state
Aug  6 11:10:40 dhcp-66-70-73 kernel: device vnet0 left promiscuous mode
Aug  6 11:10:40 dhcp-66-70-73 kernel: virbr0: port 1(vnet0) entering disabled state
Aug  6 11:10:40 dhcp-66-70-73 libvirtd: 11:10:40.885: error : qemudReadLogOutput:2313 : internal error Process exited while reading console log output: char device redirected to /dev/pts/1#012qemu: could not open disk image /root/xen/rhel5u4-32b-hv-raw-intel.img: Permission denied#012

Comment 11 Daniel Berrangé 2010-08-06 10:12:56 UTC
None of those audit.log messages are AVC denials. The syslog messages show you are still using /root.

Please put the disk images in /var/lib/libvirt/images as previously requested

Comment 12 Mohua Li 2010-08-06 10:52:35 UTC
actually i also don't know why there is no AVC log ouptput in audit.log, that's what i saw where i execute  "virsh start rhel5u4-32b-hv-raw-intel", any suggestion? 



test pool create on /var/lib/libvirt/images,

<pool type="netfs">
  <name>test</name>
  <source>
    <host name="10.66.65.43"/>
    <dir path="/virt-v2v/v2v-convert/0.6.1-1.el5/20100713/test"/>
  </source>
  <target>
    <path>/var/lib/libvirt/images/test</path>
  </target>
</pool>


[root@dhcp-66-70-73 ~]# virsh vol-list test
Name                 Path                                    
-----------------------------------------
ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp /var/lib/libvirt/images/test/ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp
rhel5u4-64b-pv-raw-intel.img /var/lib/libvirt/images/test/rhel5u4-64b-pv-raw-intel.img

[root@dhcp-66-70-73 ~]# virsh list --all
 Id Name                 State
----------------------------------
  - ESX4.0-RHEL3.9-i386  shut off
  - rhel5u4-32b-hv-raw-intel shut off

[root@dhcp-66-70-73 ~]# virsh start rhel5u4-32b-hv-raw-intel
error: Failed to start domain rhel5u4-32b-hv-raw-intel
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/3
qemu: could not open disk image /root/xen/rhel5u4-32b-hv-raw-intel.img: Permission denied



audit.log,

type=ANOM_PROMISCUOUS msg=audit(1281091952.358:971): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1281091952.358:971): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef27435ae0 a3=361dd7a14c items=0 ppid=1 pid=8401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1281091952.476:972): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295
type=USER_ACCT msg=audit(1281092101.869:973): user pid=15385 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Comment 13 Daniel Berrangé 2010-08-06 11:20:06 UTC
Simply creating a new storage pool doesn't magically move all existing guests into that pool. Your guest is clearly still configured to use /root/ as shown by this error message:

[root@dhcp-66-70-73 ~]# virsh start rhel5u4-32b-hv-raw-intel
error: Failed to start domain rhel5u4-32b-hv-raw-intel
error: internal error Process exited while reading console log output: char
device redirected to /dev/pts/3
qemu: could not open disk image /root/xen/rhel5u4-32b-hv-raw-intel.img:
Permission denied

Please fix your guest to use the correct locations.

Comment 14 Mohua Li 2010-08-06 11:47:57 UTC
sorry, it should be a wrong paste, too quick operation make mistake, here the log clear shows that vol "rhel5u5-32b-hv-raw-intel.img", "rhel5u4-64b-hv-raw-intel.img" locate on pool "test", start with a error, below,


[root@dhcp-66-70-73 libvirt]# virsh vol-list test
Name                 Path                                    
-----------------------------------------
ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp /var/lib/libvirt/images/test/ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp
rhel5u4-64b-hv-raw-intel.img /var/lib/libvirt/images/test/rhel5u4-64b-hv-raw-intel.img
rhel5u5-32b-hv-raw-intel.img /var/lib/libvirt/images/test/rhel5u5-32b-hv-raw-intel.img


[root@dhcp-66-70-73 libvirt]# ll  /var/lib/libvirt/images/test/
total 12031180
-rw-------. 1 root root 10737418240 Aug  7  2010 ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp
-rw-------. 1 root root  4294967297 Aug  7  2010 rhel5u4-64b-hv-raw-intel.img
-rw-------. 1 root root  6291456000 Aug  7  2010 rhel5u5-32b-hv-raw-intel.img


[root@dhcp-66-70-73 libvirt]# virsh start rhel5u4-64b-hv-raw-intel
error: Failed to start domain rhel5u4-64b-hv-raw-intel
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/4
qemu: could not open disk image /var/lib/libvirt/images/test/rhel5u4-64b-hv-raw-intel.img: Permission denied


[root@dhcp-66-70-73 libvirt]# virsh start rhel5u5-32b-hv-raw-intel
error: Failed to start domain rhel5u5-32b-hv-raw-intel
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/4
qemu: could not open disk image /var/lib/libvirt/images/test/rhel5u5-32b-hv-raw-intel.img: Permission denied



audit.log

type=ANOM_PROMISCUOUS msg=audit(1281095542.608:1104): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1281095542.608:1104): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef26033ae0 a3=361dd7a14c items=0 ppid=1 pid=8403 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1281095542.735:1105): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295
type=ANOM_PROMISCUOUS msg=audit(1281095548.973:1106): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1281095548.973:1106): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef26a34ae0 a3=361dd7a14c items=0 ppid=1 pid=8402 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1281095549.108:1107): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295

Comment 15 Daniel Berrangé 2010-08-06 11:52:59 UTC
What are the permissions on the directory /var/lib/libvirt/images/test itself ?

Comment 16 Mohua Li 2010-08-09 01:54:41 UTC
here is the permission setting for /var/lib/libvirt/images,

[root@dhcp-66-70-73 images]# ll
total 4
drwxr-xr-x. 2 root root 4096 Aug  7 03:32 test
[root@dhcp-66-70-73 images]# pwd
/var/lib/libvirt/images

Comment 17 Mohua Li 2010-08-09 08:03:03 UTC
the most obvious thing is when i disable the selinux, i could start the guest successfully, without any error,

Comment 18 Daniel Veillard 2010-08-09 09:37:48 UTC
can you provide the output of

ls -laZ /var/lib/libvirt/images
ls -laZ /var/lib/libvirt/images/test

so we can see the SELinux labelling of that subtree 

Daniel

Comment 19 Mohua Li 2010-08-09 09:59:28 UTC
as before i setenforce 0, to start the guest, i set it back, here is the output,


[root@dhcp-66-70-73 v2v]# getenforce
Permissive
[root@dhcp-66-70-73 v2v]# setenforce 1
[root@dhcp-66-70-73 v2v]# getenforce
Enforcing
[root@dhcp-66-70-73 v2v]# ls -laZ /var/lib/libvirt/images
drwx--x--x. root root system_u:object_r:virt_image_t:s0 .
drwxr-xr-x. root root system_u:object_r:virt_var_lib_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 rhel5u4-64b-hv-raw-intel.xml
drwxr-xr-x. root root unconfined_u:object_r:virt_image_t:s0 test
drwxr-xr-x. root root system_u:object_r:nfs_t:s0       v2v
[root@dhcp-66-70-73 v2v]# ls -laZ /var/lib/libvirt/images/test
drwxr-xr-x. root root unconfined_u:object_r:virt_image_t:s0 .
drwx--x--x. root root system_u:object_r:virt_image_t:s0 ..

Comment 20 Daniel Veillard 2010-08-10 09:53:24 UTC
the test subdir doesn not have the same SELinux attributes than 
/var/lib/libvirt/images
Move all the data from the test subdir to the main /var/lib/libvirt/images
directory, change the guest config to point to the new location for the files,
and try again.
This looks like a user problem of mislabelling the directory conatining
the guest files. A priori not a bug, but I'm waiting for confirmation !

Daniel

Comment 21 Mohua Li 2010-08-10 10:32:56 UTC
DV,

try exactly what you told, still met the error, and also  i change the pool owner/group from -1 to qemu/qemu, also met the same error,



[root@dhcp-66-70-73 virt]# ls -laZ /var/lib/libvirt/images/
drwxr-xr-x. root root system_u:object_r:nfs_t:s0       .
drwxr-xr-x. root root system_u:object_r:virt_var_lib_t:s0 ..
-rw-------. root root system_u:object_r:nfs_t:s0       rhel5u4-32b-hv-raw-intel.img
-rw-------. root root system_u:object_r:nfs_t:s0       rhel5u4-64b-hv-raw-intel.img
[root@dhcp-66-70-73 virt]# virsh list --all
 Id Name                 State
----------------------------------
  - rhel5u4-32b-hv-raw-intel shut off
  - rhel5u4-64b-hv-raw-intel shut off

[root@dhcp-66-70-73 virt]# virsh start rhel5u4-32b-hv-raw-intel
error: Failed to start domain rhel5u4-32b-hv-raw-intel
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/5
qemu: could not open disk image /var/lib/libvirt/images/rhel5u4-32b-hv-raw-intel.img: Permission denied


[root@dhcp-66-70-73 virt]# virsh pool-dumpxml v2v
<pool type='netfs'>
  <name>v2v</name>
  <uuid>8d25c92b-03b1-a4b0-6435-03c471e9a505</uuid>
  <capacity>1969006968832</capacity>
  <allocation>1054794809344</allocation>
  <available>914212159488</available>
  <source>
    <host name='10.66.65.43'/>
    <dir path='/virt-v2v/v2v-convert/v2v'/>
    <format type='auto'/>
  </source>
  <target>
    <path>/var/lib/libvirt/images</path>
    <permissions>
      <mode>0700</mode>
      <owner>107</owner>
      <group>107</group>
    </permissions>
  </target>
</pool>



[root@dhcp-66-70-73 v2v]# cat /etc/passwd | grep qemu
qemu:x:107:107:qemu user:/:/sbin/nologin

Comment 22 Mohua Li 2010-08-11 06:06:01 UTC
we need to use "setsebool virt_use_nfs=on" in order for it to work with SELinux,after set this boolean, everything is ok, so this is not a bug, 

[root@dhcp-66-70-73 ~]# getsebool -a | grep virt
virt_use_comm --> off
virt_use_fusefs --> off
virt_use_nfs --> on
virt_use_samba --> off
virt_use_sysfs --> off
virt_use_usb --> on