If you create a qcow2 image with a backing file: $> qemu-img create -b f11-beta.qcow2 -f qcow2 f11-beta.snap1.qcow2 and configure a domain to use it: <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/f11-beta.snap2.qcow2'/> <target dev='hda' bus='ide'/> </disk> and start it: $> virsh start f11-beta error: Failed to start domain f11-beta error: internal error unable to start guest: qemu: could not open disk image /var/lib/libvirt/images/f11-beta.snap2.qcow2 type=AVC msg=audit(1240410685.659:86): avc: denied { read } for pid=9537 comm="qemu-kvm" name="f11-beta.qcow2" dev=dm-0 ino=3466427 scontext=system_u:system_r:svirt_t:s0:c280,c287 tcontext=system_u:object_r:virt_image_t:s0 tclass=file The problem is obvious - we're re-labelling the qcow2 image, but not its backing file. Note, the backing file should be read-only for all guests which use a qcow2 image backed by it.
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
*** Bug 525362 has been marked as a duplicate of this bug. ***
Patches posted upstream for this: http://www.redhat.com/archives/libvir-list/2009-September/msg00740.html It's fairly invasive so, while I'll backport it to F12, I won't be backporting it to F11.
Okay, I've backported this to F-12 and will build it later today * Thu Oct 1 2009 Mark McLoughlin <markmc> - 0.7.1-8 - Re-label qcow2 backing files (#497131) Patch is http://gitorious.org/~markmc/libvirt/fedora/commit/5bb2da190b
This is in rawhide now