Hi,
My problem is as follows:
Trying to run virt-install against an image stored on a separately mounted disk
results in "could not open disk image /var/lib/libvirt/images/autowin32.qcow2:
Permission denied"
My mount point for /dev/sdb is /var/lib/libvirt/images. I mount with with the
_exact_ same context that the directory has prior to mounting. (Also, don't
panic about the -t ocfs2; it's a a local ocfs2, so there's no clustering or
network at play here. AFIAK it can be treated like ext4)
Pre-mount:
drwxr-xr-x. root root unconfined_u:object_r:virt_image_t:s0 images
Mount command:
mount /dev/sdb /var/lib/libvirt/images/ -t ocfs2 -o
data=writeback,noatime,context="unconfined_u:object_r:virt_image_t:s0"
Post-mount:
drwxr-xr-x. root root unconfined_u:object_r:virt_image_t:s0 images
Image files pre and post mount as well:
Pre-mount (virt-install will work fine here):
qemu-img create -f qcow2 -o preallocation=metadata
/var/lib/libvirt/images/autowin32.qcow2 10000m
-rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 autowin32.qcow2
Post-mount:
qemu-img create -f qcow2 -o preallocation=metadata
/var/lib/libvirt/images/autowin32.qcow2 10000m
-rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 autowin32.qcow2
>From the post-mount scenario, while trying to virt-install, I'll get:
qemu-kvm: -drive
file=/var/lib/libvirt/images/autowin32.qcow2,if=none,id=drive-ide0-0-0,format=qcow2,cache=none:
could not open disk image /var/lib/libvirt/images/autowin32.qcow2: Permission
denied
Setting SELinux to permissive will allow this, but you'll still see various
avc-denies in the logs:
type=AVC msg=audit(1395279890.238:1020): avc: denied { read } for pid=4952
comm="qemu-kvm" name="autowin32.qcow2" dev=sdb ino=563715
scontext=system_u:system_r:svirt_t:s0:c195,c926
tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1395279890.238:1020): avc: denied { open } for pid=4952
comm="qemu-kvm" name="autowin32.qcow2" dev=sdb ino=563715
scontext=system_u:system_r:svirt_t:s0:c195,c926
tcontext=system_u:object_r:virt_image_t:s0 tclass=file
etc etc...
I've also tried manually adding labels with semanage and doing a restorecon on
the proper paths after mounting the 2nd drive, but those yielded the same error.
Does anyone have experience with a similar situation? Am I missing something
when setting the context of the second drive?
Relevant version:
libvirt-0.10.2-29.el6_5.5.x86_64
qemu-kvm-0.12.1.2-2.415.el6_5.6.x86_64
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch
Thanks!
Wes
