Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/8/20 12:45 AM, Samuel Sieb wrote: Ok, you didn't mention where you moved it to. That is the correct location and the correct label, does it still cause errors? No it works fine. Thanks, I did not know about the restorecon command. -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 12:06 PM, Sreyan Chakravarty wrote: On 5/7/20 11:52 PM, Samuel Sieb wrote: It doesn't have the correct label, so run: restorecon -v /var/lib/libvirt/images/Windows.10-disk001.qcow2 This is the security context now: unconfined_u:object_r:svirt_home_t:s0 'Windows 10-disk001.qcow2' I am running the image from: /home/sreyan/.local/share/libvirt/images Ok, you didn't mention where you moved it to. That is the correct location and the correct label, does it still cause errors? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 11:52 PM, Samuel Sieb wrote: It doesn't have the correct label, so run: restorecon -v /var/lib/libvirt/images/Windows.10-disk001.qcow2 This is the security context now: unconfined_u:object_r:svirt_home_t:s0 'Windows 10-disk001.qcow2' I am running the image from: /home/sreyan/.local/share/libvirt/images -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 5:21 AM, Sreyan Chakravarty wrote: Okay, it seems weird just keeps getting weirder. Double-clicking on the VM and then running the VM works fine. But hitting the power-on button from the main virt-manager screen results in a SELinux violation. I will never understand the idiosyncrasies of SELinux. It doesn't have the correct label, so run: restorecon -v /var/lib/libvirt/images/Windows.10-disk001.qcow2 ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: [SOLVED] Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 6:16 PM, Ed Greshko wrote: OK, the file probably had the correct context when it was imported. I have virt_content: system_u:object_r:virt_content_t:s0 'Windows 10-disk001.qcow2' Don't know the difference. -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: [SOLVED] Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 2020-05-07 20:35, Sreyan Chakravarty wrote: > > On 5/7/20 6:01 PM, Ed Greshko wrote: >> I would copy that file to the standard location. If you mv it you'll need >> an additional step to change the >> context. > > I did use mv and it works fine. Don't know if that is a problem. Once again, > thanks for taking the time to set me straight. > OK, the file probably had the correct context when it was imported. [root@meimei images]# ls -Z F31G.qcow2 system_u:object_r:virt_image_t:s0 F31G.qcow2 is an example of what it should be. -- The key to getting good answers is to ask good questions. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
[SOLVED] Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 6:01 PM, Ed Greshko wrote: I would copy that file to the standard location. If you mv it you'll need an additional step to change the context. I did use mv and it works fine. Don't know if that is a problem. Once again, thanks for taking the time to set me straight. -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 2020-05-07 20:22, Sreyan Chakravarty wrote: > Do I have to redefine the VM again ? If not I can move the image there. > > On 5/7/20 5:50 PM, Ed Greshko wrote: >> Any reason for not placing it in the standard area? /var/lib/libvirt/images > I would copy that file to the standard location. If you mv it you'll need an additional step to change the context. Then, use sudo virsh edit (name of VM) and change the location of the file defined in the devices section. -- The key to getting good answers is to ask good questions. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
Do I have to redefine the VM again ? If not I can move the image there. On 5/7/20 5:50 PM, Ed Greshko wrote: Any reason for not placing it in the standard area? /var/lib/libvirt/images -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
Okay, it seems weird just keeps getting weirder.
Double-clicking on the VM and then running the VM works fine. But
hitting the power-on button from the main virt-manager screen results in
a SELinux violation.
I will never understand the idiosyncrasies of SELinux.
On 5/7/20 5:41 PM, Sreyan Chakravarty wrote:
I have a file for a Windows 10 VM in my home folder under a folder
called virt-manager:
/home/sreyan/virt-manager/Windows 10-disk001.qcow2
When I try to switch on the VM from virt-manager it fails with:
SELinux is preventing worker from read access on the file
/home/sreyan/virt-manager/Windows 10-disk001.qcow2.
* Plugin qemu_file_image (91.4 confidence) suggests
***
If Windows 10-disk001.qcow2 is a virtualization target
Then you need to change the label on Windows 10-disk001.qcow2'
Do
# semanage fcontext -a -t virt_image_t
'/home/sreyan/virt-manager/Windows.10-disk001.qcow2'
# restorecon -v '/home/sreyan/virt-manager/Windows.10-disk001.qcow2'
* Plugin catchall (9.59 confidence) suggests
**
If you believe that worker should be allowed read access on the
Windows 10-disk001.qcow2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'worker' --raw | audit2allow -M my-worker
# semodule -X 300 -i my-worker.pp
Additional Information:
Source Context unconfined_u:unconfined_r:svirt_t:s0:c239,c999
Target Context system_u:object_r:svirt_image_t:s0:c276,c718
Target Objects /home/sreyan/virt-manager/Windows
10-disk001.qcow2
[ file ]
Source worker
Source Path worker
Port
Host localhost.HPNotebook
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch
Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.HPNotebook
Platform Linux localhost.HPNotebook
5.5.15-200.fc31.x86_64
#1 SMP Thu Apr 2 19:16:17 UTC 2020
x86_64 x86_64
Alert Count 3
First Seen 2020-05-07 17:34:50 IST
Last Seen 2020-05-07 17:34:50 IST
Local ID 74764396-5a32-4477-9eea-5e643d89c270
Raw Audit Messages
type=AVC msg=audit(1588853090.475:1605): avc: denied { read } for
pid=29914 comm="worker"
path=2F686F6D652F73726579616E2F766972742D6D616E616765722F57696E646F77732031302D6469736B3030312E71636F7732
dev="dm-2" ino=6684679
scontext=unconfined_u:unconfined_r:svirt_t:s0:c239,c999
tcontext=system_u:object_r:svirt_image_t:s0:c276,c718 tclass=file
permissive=0
Hash: worker,svirt_t,svirt_image_t,file,read
Should I just BLINDLY run the commands specified ? I don't want to be
making exceptions that I don't understand fully.
Now what is strange is that it was working fine 2 days back. During
that time I have not done any changes. No updates or whatever.
So why is this happening all of the sudden?
And why the hell is SELinux blocking a file in my /home ? It should be
totally safe, why would anyone think this is suspicious ?
--
Regards,
Sreyan
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 2020-05-07 20:11, Sreyan Chakravarty wrote: > I have a file for a Windows 10 VM in my home folder under a folder called > virt-manager: > > /home/sreyan/virt-manager/Windows 10-disk001.qcow2 > > When I try to switch on the VM from virt-manager it fails with: > > > SELinux is preventing worker from read access on the file > /home/sreyan/virt-manager/Windows 10-disk001.qcow2. Because you are placing the file in a "non-standard" area which doesn't conform to the selinux policy for that application. If you want to use that directory you need to create a local policy as described. Any reason for not placing it in the standard area? /var/lib/libvirt/images -- The key to getting good answers is to ask good questions. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Why is SELinux blocking virt-manager from reading my qcow2 file ?
I have a file for a Windows 10 VM in my home folder under a folder
called virt-manager:
/home/sreyan/virt-manager/Windows 10-disk001.qcow2
When I try to switch on the VM from virt-manager it fails with:
SELinux is preventing worker from read access on the file
/home/sreyan/virt-manager/Windows 10-disk001.qcow2.
* Plugin qemu_file_image (91.4 confidence) suggests ***
If Windows 10-disk001.qcow2 is a virtualization target
Then you need to change the label on Windows 10-disk001.qcow2'
Do
# semanage fcontext -a -t virt_image_t
'/home/sreyan/virt-manager/Windows.10-disk001.qcow2'
# restorecon -v '/home/sreyan/virt-manager/Windows.10-disk001.qcow2'
* Plugin catchall (9.59 confidence) suggests **
If you believe that worker should be allowed read access on the Windows
10-disk001.qcow2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'worker' --raw | audit2allow -M my-worker
# semodule -X 300 -i my-worker.pp
Additional Information:
Source Context unconfined_u:unconfined_r:svirt_t:s0:c239,c999
Target Context system_u:object_r:svirt_image_t:s0:c276,c718
Target Objects /home/sreyan/virt-manager/Windows
10-disk001.qcow2
[ file ]
Source worker
Source Path worker
Port
Host localhost.HPNotebook
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch
Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.HPNotebook
Platform Linux localhost.HPNotebook
5.5.15-200.fc31.x86_64
#1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64
x86_64
Alert Count 3
First Seen 2020-05-07 17:34:50 IST
Last Seen 2020-05-07 17:34:50 IST
Local ID 74764396-5a32-4477-9eea-5e643d89c270
Raw Audit Messages
type=AVC msg=audit(1588853090.475:1605): avc: denied { read } for
pid=29914 comm="worker"
path=2F686F6D652F73726579616E2F766972742D6D616E616765722F57696E646F77732031302D6469736B3030312E71636F7732
dev="dm-2" ino=6684679
scontext=unconfined_u:unconfined_r:svirt_t:s0:c239,c999
tcontext=system_u:object_r:svirt_image_t:s0:c276,c718 tclass=file
permissive=0
Hash: worker,svirt_t,svirt_image_t,file,read
Should I just BLINDLY run the commands specified ? I don't want to be
making exceptions that I don't understand fully.
Now what is strange is that it was working fine 2 days back. During that
time I have not done any changes. No updates or whatever.
So why is this happening all of the sudden?
And why the hell is SELinux blocking a file in my /home ? It should be
totally safe, why would anyone think this is suspicious ?
--
Regards,
Sreyan
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
