Bug 1045040 - /var/lib/libvirt/qemu permissions are wrong
/var/lib/libvirt/qemu permissions are wrong
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Libvirt Maintainers
Depends On: 1045069
Blocks: 805141
  Show dependency treegraph
Reported: 2013-12-19 08:59 EST by Richard W.M. Jones
Modified: 2016-04-10 13:21 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-04-10 13:21:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Richard W.M. Jones 2013-12-19 08:59:58 EST

drwxr-x---.  6 qemu qemu 4096 Dec 19 12:56 .

Dan thinks we should actually create subdirectories under
here for every guest, with the guest's uid:gid as the owner
of the subdirectory, allowing qemu to run as arbitrary
uid:gid and still access its monitor socket.

Version-Release number of selected component (if applicable):

libvirt 1.1.3 on Fedora 19

Also the same on Fedora 20.
Comment 1 Richard W.M. Jones 2014-01-09 11:57:32 EST
libvirt currently creates the monitor sockets directly in
/var/lib/libvirt/qemu/ eg:

$ sudo ls -l /var/lib/libvirt/qemu/
total 16
srwxr-xr-x. 1 qemu qemu    0 Jan  6 16:00 builder-rhel6.monitor
srwxr-xr-x. 1 qemu qemu    0 Dec 20 22:04 builder-rhel7.monitor

The problem is this doesn't work if we told libvirt to run qemu as
another UID, which is possible (albeit undocumented):

  <seclabel model='dac' type='static'> <label>user:group</label> </seclabel>

If you do that you'll find that qemu won't be able to access the
monitor socket in some situations.

To fix this, libvirt should create a subdirectory per guest.  The
permissions on /var/lib/libvirt/qemu/ should be relaxed, and the owner
or SELinux label of /var/lib/libvirt/qemu/<guestname> should be set so
qemu can access it.

(I suspect the monitor sockets should really go in /run, but the
same arguments apply)
Comment 2 Paul Wouters 2015-10-13 15:31:06 EDT
I agree. for libreswan we run a test suite with libvirt where our own user 'build' creates the vms and every libvirt update my tests start failing and I have to run:

chmod g+w /var/lib/libvirt/qemu/

So at least group qemu write permissions would be nice.
Comment 3 Cole Robinson 2016-04-10 13:21:40 EDT
Upstream libvirt does this nowadays:

$ sudo ls /var/lib/libvirt/qemu/
channel  domain-9-f23  dump  nvram  save  snapshot

Where domain-9-f23 is used for the monitor socket for running vm name=f23 id=9

Note You need to log in before you can comment on or make changes to this bug.