Hide Forgot
Description of problem: Permission denied when start a guest with file type serial port Version-Release number of selected component (if applicable): libvirt-2.0.0-6.el7.x86_64 qemu-kvm-rhev-2.6.0-22.el7.x86_64 How reproducible: 100% Steps to Reproduce: [on guest] 1. Add console=ttyS0,115200 to guest kernel line. [on host] 1.# mkdir /test 2.Add the following XML to a domain, and delete other serial nodes. <serial type="file"> <source path="/test/vm-serial.log"/> <target port="1"/> </serial> 3. Start the domain. # virsh start vm-jishao error: Failed to start domain vm-jishao error: Unable to open file: /test/vm-serial.log: Permission denied Actual results: can not start the guest with file type serial port Expected results: It should start successfully Additional info: Testing with libvirt-1.2.17-13.el7.x86_64 and qemu-kvm-1.5.3-105.el7.x86_64 the guest can start successfully
With RHEL7.2 release os + qemu-kvm + libvirt,I can not reproduce the issue,the result is as below kernel-3.10.0-327.el7.x86_64, qemu-kvm-1.5.3-105.el7.x86_64, libvirt-1.2.17-13.el7.x86_64 [on guest] 1. Add console=ttyS0,115200 to guest kernel line. [on host] 1.# mkdir /test 2.Add the following XML to a domain, and delete other serial nodes. <serial type="file"> <source path="/test/vm-serial.log"/> <target port="1"/> </serial> 3. Start the domain. # virsh start vm-jishao Domain vm-jishao started 4.# virsh dumpxml vm-jishao | grep serial -A8 <serial type='file'> <source path='/test/vm-serial.log'/> <target port='1'/> <alias name='serial0'/> </serial> <console type='file'> <source path='/test/vm-serial.log'/> <target type='serial' port='1'/> <alias name='serial0'/> </console>
I try the start the guest when set selinux Permissive, the guest can be started successfully but the file can not print any log of guest libvirt-2.0.0-6.el7.x86_64 1.# mkdir /test 2.Add the following XML to a domain, and delete other serial nodes. <serial type="file"> <source path="/test/vm-serial.log"/> <target port="1"/> </serial> 3.# setenforce 0 # getenforce Permissive 4. Start the domain. # virsh start r7.2 Domain r7.2 started 5.# cat vm-serial.log # # #
I am getting an AVC denial: selinux-policy-3.13.1-97.el7.noarch type=AVC msg=audit(1473346336.479:57889): avc: denied { append } for pid=12539 comm="virtlogd" name="vm-serial.log" dev="sda7" ino=262152 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file type=SYSCALL msg=audit(1473346336.479:57889): arch=c000003e syscall=2 success=no exit=-13 a0=7fe898000b10 a1=80441 a2=180 a3=7fe898000b30 items=0 ppid=1 pid=12539 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtlogd" exe="/usr/sbin/virtlogd" subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null) Per bug 1311606 virtlogd is contained and should not be able to access everything. And the domain starts for me if I use /var/log/libvirt as the path to the log file, or manually adjust the context of the /test directory to virt_log_t. (Disabling virtlogd in qemu.conf: stdio_handler = "file" also allows me to start the domain) I don't think libvirt should be changing the context of random directories in the filesystem, we don't do that for disks either.
Hello, i have set "stdio_handler = "file" in qemu.conf and now i am able to start the domain. but it will lead to security issue right, so what is the correct fix for this issue. Workaround used: # The backend to use for handling stdout/stderr output from # QEMU processes. # # 'file': QEMU writes directly to a plain file. This is the # historical default, but allows QEMU to inflict a # denial of service attack on the host by exhausting # filesystem space # # 'logd': QEMU writes to a pipe provided by virtlogd daemon. # This is the current default, providing protection # against denial of service by performing log file # rollover when a size limit is hit. # stdio_handler = "file" Actual issue: 2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self) 2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] libvirtError: Unable to open file: /var/lib/nova/instances/9730e067-3c4f-4241-9bae-693d95f53e00/console.log: Permission denied 2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] 2016-11-07 18:06:34.811 19880 INFO nova.compute.manager [req-17b73d5b-a406-439e-8e4d-9a40c04a1f9a 2ec0f13b4e494d49b2901281fc640d71 c900d0d4a8d24a8ab29fdb06b5f81d99 - - -] [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] Terminating instance Looking for the right fix.
*** Bug 1396518 has been marked as a duplicate of this bug. ***
*** Bug 1483466 has been marked as a duplicate of this bug. ***
*** Bug 1502879 has been marked as a duplicate of this bug. ***
*** Bug 1499800 has been marked as a duplicate of this bug. ***