Bug 491052 - selinux: virt-manager downloaded kernel/initrd cannot be accessed by KVM guest
selinux: virt-manager downloaded kernel/initrd cannot be accessed by KVM guest
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: python-virtinst (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Berrange
Fedora Extras Quality Assurance
:
: 491709 (view as bug list)
Depends On:
Blocks: F11VirtBlocker
  Show dependency treegraph
 
Reported: 2009-03-19 04:40 EDT by Michal Nowak
Modified: 2013-03-07 21:05 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-20 12:13:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Log from installation (12.42 KB, text/plain)
2009-03-19 04:40 EDT, Michal Nowak
no flags Details
First log (1.25 KB, text/plain)
2009-03-19 09:49 EDT, Michal Nowak
no flags Details
Second log (570 bytes, text/plain)
2009-03-19 09:49 EDT, Michal Nowak
no flags Details
Third log (4.83 KB, text/plain)
2009-03-19 09:50 EDT, Michal Nowak
no flags Details
fourth log (2.13 KB, text/plain)
2009-03-19 09:51 EDT, Michal Nowak
no flags Details
This patch will allows virt-manager.py to set the context on a file when it does an install (1.55 KB, text/plain)
2009-03-25 09:13 EDT, Daniel Walsh
no flags Details
Fix context for kernel/initrd images (1.50 KB, patch)
2009-04-03 13:23 EDT, Daniel Berrange
no flags Details | Diff

  None (edit)
Description Michal Nowak 2009-03-19 04:40:05 EDT
Created attachment 335814 [details]
Log from installation

Description of problem:

Creation of virtual machine is not possible. Ends with:

[Thu, 19 Mar 2009 09:25:51 virt-manager 8433] ERROR (create:1503) Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: char device redirected to /dev/pts/4
char device redirected to /dev/pts/5

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1485, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 973, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: char device redirected to /dev/pts/4
char device redirected to /dev/pts/5

'
[Thu, 19 Mar 2009 09:25:51 virt-manager 8433] DEBUG (error:76) Uncaught Error: Unable to complete install: 'internal error unable to start guest: char device redirected to /dev/pts/4
char device redirected to /dev/pts/5
' : Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: char device redirected to /dev/pts/4
char device redirected to /dev/pts/5

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1485, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 973, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: char device redirected to /dev/pts/4
char device redirected to /dev/pts/5

'

Version-Release number of selected component (if applicable):

qemu-common-0.10-0.9.kvm20090310git.fc11.x86_64
qemu-img-0.10-0.9.kvm20090310git.fc11.x86_64
qemu-system-x86-0.10-0.9.kvm20090310git.fc11.x86_64
virt-manager-0.7.0-1.fc11.x86_64

Linux dhcp-lab-124.englab.brq.redhat.com 2.6.29-0.237.rc7.git4.fc11.x86_64 #1 SMP Wed Mar 11 18:55:04 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:

always

Steps to Reproduce: (should be in the log)
1. Insert name "XFce", Network install, url=http://download.englab.brq.redhat.com/pub/fedora/linux/releases/10/Fedora/i386/os/
2.ram=512, cpu=1, image=8GB (sparse), 
3. virtual network, KVM, x86-64, fixed MAC address
  
Actual results:

BT, no machine created

Expected results:

virt machine running

Additional info:

tested: Brno PXE, trees, ISOs

notes:

* tested also with x86-64 tree -- same result: http://download.englab.brq.redhat.com/pub/fedora/linux/releases/10/Fedora/x86_64/os/

* ISO fails with

Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: char device redirected to /dev/pts/4
char device redirected to /dev/pts/5
Failed to stat runtime directory /root/.pulse/20fb31ff14a38c84bec651a5499d649b:runtime: Permission denied

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1485, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 973, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: char device redirected to /dev/pts/4
char device redirected to /dev/pts/5
Failed to stat runtime directory /root/.pulse/20fb31ff14a38c84bec651a5499d649b:runtime: Permission denied

'
Comment 1 Cole Robinson 2009-03-19 09:31:39 EDT
Can you attach /var/log/libvirt/qemu/{VMNAME}.log? Thanks.
Comment 2 Michal Nowak 2009-03-19 09:49:07 EDT
Created attachment 335848 [details]
First log

Not sure, which log is the right one. Sending all (4) from today's probes.
Comment 3 Michal Nowak 2009-03-19 09:49:43 EDT
Created attachment 335849 [details]
Second log
Comment 4 Michal Nowak 2009-03-19 09:50:38 EDT
Created attachment 335851 [details]
Third log
Comment 5 Michal Nowak 2009-03-19 09:51:07 EDT
Created attachment 335852 [details]
fourth log
Comment 6 Daniel Berrange 2009-03-19 10:01:19 EDT
What libvirt version have you got
Comment 7 Michal Nowak 2009-03-19 10:15:04 EDT
libvirt-0.6.1-5.fc11.x86_64
Comment 8 Stefano Cavallari 2009-03-23 07:43:39 EDT
I had the same problem (same message).
setenforce 0 seems to solve it.
I've not time to understand exactly what is going on, but I was using an image not in /var/lib/libvirt/
Michal try to build a virtual machine with NEW storage in the default path, and don't use ISOs but use a cd (for testing). You shouldn't get the error anymore.
If it is so it's not a bug (but there should be a warning *inside* virt-manager about selinux and paths).
Comment 9 Michal Nowak 2009-03-23 08:37:53 EDT
As Stefano said. `setenforce 0' does the job for that moment, now I am able to get VM connected to PXE, e.g.


Start wizard with setenforce 1` -> hit "Finish" got error from comment #0. Set setenforce 0 -> hit "Finish" you get this

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/engine.py", line 272, in show_details
    details = vmmDetails(self.get_config(), con.get_vm(uuid), self)
  File "/usr/share/virt-manager/virtManager/details.py", line 337, in __init__
    self.update_widget_states(self.vm, self.vm.status())
  File "/usr/share/virt-manager/virtManager/details.py", line 783, in update_widget_states
    self.set_migrate_menu()
  File "/usr/share/virt-manager/virtManager/details.py", line 730, in set_migrate_menu
    self.engine.populate_migrate_menu(menu, self.control_vm_migrate)
  File "/usr/share/virt-manager/virtManager/engine.py", line 578, in populate_migrate_menu
    conns = self.get_available_migrate_hostnames()
  File "/usr/share/virt-manager/virtManager/engine.py", line 601, in get_available_migrate_hostnames
    driver = self.windowManager.current_connection().get_driver()
AttributeError: 'NoneType' object has no attribute 'get_driver'

But the VM is running quite fine in background.
Comment 10 Justin M. Forbes 2009-03-23 15:59:54 EDT
I am also reproducing this 100% of the time trying to install an F10 ISO guest into a current rawhide host.  Will look into it more this evening
Comment 11 Cole Robinson 2009-03-23 16:30:31 EDT
The traceback in comment #9 is a virt-manager bug, which I'll be fixing shortly.

The first two log files posted (Comment #2 and Comment #3) were hitting issues with qemu, pulseaudio, selinux, and libvirt. This is worked around in libvirt 0.6.1-5, unfortunately at the expense of having sound for your selinux protected VMs.

The log files in Comment #3 and Comment #4 are hitting selinux issues wrt booting off URLs. If running as a regular user, we currently don't have a selinux approved place to put fetched kernels. This wasn't a problem for most people in the past since we used ConsoleHelper to auth the whole app as root, allowing the user to put kernels into /var/lib/libvirt/boot. This won't fly anymore since we are solely using PolicyKit. We _need_ to get this working in some capacity before devel freeze though.

Comment #10 / jforbes, that is a similar (and long time known) selinux issue. My guess is the ISO is in your home directory or some other not deliberately allowed place. As a temporary workaround, you can move the iso to /var/lib/libvirt/images, then run

restorecon /var/lib/libvirt/images/your-iso.iso
Comment 12 Cole Robinson 2009-03-23 17:56:57 EDT
*** Bug 491709 has been marked as a duplicate of this bug. ***
Comment 13 Cole Robinson 2009-03-23 18:18:56 EDT
The NoneType traceback should be fixed in virt-manager-0.7.0-2.
Comment 14 Mark McLoughlin 2009-03-24 14:08:47 EDT
Okay, so to summarise:

  - virt-manager no longer runs as root

  - kernel/initrd images are downloaded to ~/.virtinst/boot

  - they are labelled as user_home_t rather than virt_image_t

  - qemu cannot access them

dwalsh: any ideas?
Comment 15 Mark McLoughlin 2009-03-24 14:09:39 EDT
Adding to F11VirtBlocker
Comment 16 Daniel Walsh 2009-03-24 15:44:05 EDT
Best option I think is to add a dbus service to virt-manager to allow it to do some things with privs.  So it could download these images and place them in /var/lib/libvirt/images.

We could set the label on ~/.virtinst to svirt_image_t and allow svirt to search the users homedir.

Currently homedir labeling for virt is setup like the following

HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
HOME_DIR/.virtinst(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)

virt-manager should probably run restorecon when it creates these directories to make sure they get labeled correctly.

Labeling and svirt perms are in 

selinux-policy-3.6.10-2.fc11
Comment 17 Justin M. Forbes 2009-03-24 16:43:08 EDT
We might want to include instructions for setting labelling for virt somewhere on the virt wiki page as I am sure there are users who will want to place their virt images somewhere else.
Comment 18 Daniel Walsh 2009-03-25 09:13:07 EDT
Created attachment 336636 [details]
This patch will allows virt-manager.py to set the context on a file when it does an install

This patch does two things,  It sets the context on the iso image to something that svirt processes can read even if they are in the users home directory or in /tmp.

It also fixes the context on the ~/.virtinst directory.  The correct patch might have been to only run the restorecon on creation of the .virtinst dir, but if we want to cleanup, this patch will allways fix the context.
Comment 19 Daniel Berrange 2009-03-25 14:53:06 EDT
This looks like a reasonable patch to me. Only change I'd make is to wrap the first  selinux call in a try / except block, so virt-manager doesn't have a hard dep on selinux modules.
Comment 20 Daniel Berrange 2009-04-03 13:18:13 EDT
After playing with this some more, I've decided this is better done in virtinst, so changing the patches a little.
Comment 21 Daniel Berrange 2009-04-03 13:23:19 EDT
Created attachment 338088 [details]
Fix context for kernel/initrd images

This patch ensures that $HOME/.virtinst/boot is setup with the correct SELinux context before downloading any initrd/kernel images.

This fix is being built into

 python-virtinst-0.400.3-3.fc11


Since this bug is just reporting problems with kernel/initrd installs, I will deal with CDROM / ISO patches in the separate bug 473154
Comment 22 Mark McLoughlin 2009-04-20 12:13:54 EDT
Assuming this was actually fixed by the patch and closing

Please re-open if issues remain

Note You need to log in before you can comment on or make changes to this bug.