Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/8/20 12:45 AM, Samuel Sieb wrote: Ok, you didn't mention where you moved it to. That is the correct location and the correct label, does it still cause errors? No it works fine. Thanks, I did not know about the restorecon command. -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 12:06 PM, Sreyan Chakravarty wrote: On 5/7/20 11:52 PM, Samuel Sieb wrote: It doesn't have the correct label, so run: restorecon -v /var/lib/libvirt/images/Windows.10-disk001.qcow2 This is the security context now: unconfined_u:object_r:svirt_home_t:s0 'Windows 10-disk001.qcow2' I am running the image from: /home/sreyan/.local/share/libvirt/images Ok, you didn't mention where you moved it to. That is the correct location and the correct label, does it still cause errors? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 11:52 PM, Samuel Sieb wrote: It doesn't have the correct label, so run: restorecon -v /var/lib/libvirt/images/Windows.10-disk001.qcow2 This is the security context now: unconfined_u:object_r:svirt_home_t:s0 'Windows 10-disk001.qcow2' I am running the image from: /home/sreyan/.local/share/libvirt/images -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 5:21 AM, Sreyan Chakravarty wrote: Okay, it seems weird just keeps getting weirder. Double-clicking on the VM and then running the VM works fine. But hitting the power-on button from the main virt-manager screen results in a SELinux violation. I will never understand the idiosyncrasies of SELinux. It doesn't have the correct label, so run: restorecon -v /var/lib/libvirt/images/Windows.10-disk001.qcow2 ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: [SOLVED] Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 6:16 PM, Ed Greshko wrote: OK, the file probably had the correct context when it was imported. I have virt_content: system_u:object_r:virt_content_t:s0 'Windows 10-disk001.qcow2' Don't know the difference. -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: [SOLVED] Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 2020-05-07 20:35, Sreyan Chakravarty wrote: > > On 5/7/20 6:01 PM, Ed Greshko wrote: >> I would copy that file to the standard location. If you mv it you'll need >> an additional step to change the >> context. > > I did use mv and it works fine. Don't know if that is a problem. Once again, > thanks for taking the time to set me straight. > OK, the file probably had the correct context when it was imported. [root@meimei images]# ls -Z F31G.qcow2 system_u:object_r:virt_image_t:s0 F31G.qcow2 is an example of what it should be. -- The key to getting good answers is to ask good questions. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
[SOLVED] Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 5/7/20 6:01 PM, Ed Greshko wrote: I would copy that file to the standard location. If you mv it you'll need an additional step to change the context. I did use mv and it works fine. Don't know if that is a problem. Once again, thanks for taking the time to set me straight. -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 2020-05-07 20:22, Sreyan Chakravarty wrote: > Do I have to redefine the VM again ? If not I can move the image there. > > On 5/7/20 5:50 PM, Ed Greshko wrote: >> Any reason for not placing it in the standard area? /var/lib/libvirt/images > I would copy that file to the standard location. If you mv it you'll need an additional step to change the context. Then, use sudo virsh edit (name of VM) and change the location of the file defined in the devices section. -- The key to getting good answers is to ask good questions. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
Do I have to redefine the VM again ? If not I can move the image there. On 5/7/20 5:50 PM, Ed Greshko wrote: Any reason for not placing it in the standard area? /var/lib/libvirt/images -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
Okay, it seems weird just keeps getting weirder. Double-clicking on the VM and then running the VM works fine. But hitting the power-on button from the main virt-manager screen results in a SELinux violation. I will never understand the idiosyncrasies of SELinux. On 5/7/20 5:41 PM, Sreyan Chakravarty wrote: I have a file for a Windows 10 VM in my home folder under a folder called virt-manager: /home/sreyan/virt-manager/Windows 10-disk001.qcow2 When I try to switch on the VM from virt-manager it fails with: SELinux is preventing worker from read access on the file /home/sreyan/virt-manager/Windows 10-disk001.qcow2. * Plugin qemu_file_image (91.4 confidence) suggests *** If Windows 10-disk001.qcow2 is a virtualization target Then you need to change the label on Windows 10-disk001.qcow2' Do # semanage fcontext -a -t virt_image_t '/home/sreyan/virt-manager/Windows.10-disk001.qcow2' # restorecon -v '/home/sreyan/virt-manager/Windows.10-disk001.qcow2' * Plugin catchall (9.59 confidence) suggests ** If you believe that worker should be allowed read access on the Windows 10-disk001.qcow2 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'worker' --raw | audit2allow -M my-worker # semodule -X 300 -i my-worker.pp Additional Information: Source Context unconfined_u:unconfined_r:svirt_t:s0:c239,c999 Target Context system_u:object_r:svirt_image_t:s0:c276,c718 Target Objects /home/sreyan/virt-manager/Windows 10-disk001.qcow2 [ file ] Source worker Source Path worker Port Host localhost.HPNotebook Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.HPNotebook Platform Linux localhost.HPNotebook 5.5.15-200.fc31.x86_64 #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64 x86_64 Alert Count 3 First Seen 2020-05-07 17:34:50 IST Last Seen 2020-05-07 17:34:50 IST Local ID 74764396-5a32-4477-9eea-5e643d89c270 Raw Audit Messages type=AVC msg=audit(1588853090.475:1605): avc: denied { read } for pid=29914 comm="worker" path=2F686F6D652F73726579616E2F766972742D6D616E616765722F57696E646F77732031302D6469736B3030312E71636F7732 dev="dm-2" ino=6684679 scontext=unconfined_u:unconfined_r:svirt_t:s0:c239,c999 tcontext=system_u:object_r:svirt_image_t:s0:c276,c718 tclass=file permissive=0 Hash: worker,svirt_t,svirt_image_t,file,read Should I just BLINDLY run the commands specified ? I don't want to be making exceptions that I don't understand fully. Now what is strange is that it was working fine 2 days back. During that time I have not done any changes. No updates or whatever. So why is this happening all of the sudden? And why the hell is SELinux blocking a file in my /home ? It should be totally safe, why would anyone think this is suspicious ? -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Why is SELinux blocking virt-manager from reading my qcow2 file ?
On 2020-05-07 20:11, Sreyan Chakravarty wrote: > I have a file for a Windows 10 VM in my home folder under a folder called > virt-manager: > > /home/sreyan/virt-manager/Windows 10-disk001.qcow2 > > When I try to switch on the VM from virt-manager it fails with: > > > SELinux is preventing worker from read access on the file > /home/sreyan/virt-manager/Windows 10-disk001.qcow2. Because you are placing the file in a "non-standard" area which doesn't conform to the selinux policy for that application. If you want to use that directory you need to create a local policy as described. Any reason for not placing it in the standard area? /var/lib/libvirt/images -- The key to getting good answers is to ask good questions. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Why is SELinux blocking virt-manager from reading my qcow2 file ?
I have a file for a Windows 10 VM in my home folder under a folder called virt-manager: /home/sreyan/virt-manager/Windows 10-disk001.qcow2 When I try to switch on the VM from virt-manager it fails with: SELinux is preventing worker from read access on the file /home/sreyan/virt-manager/Windows 10-disk001.qcow2. * Plugin qemu_file_image (91.4 confidence) suggests *** If Windows 10-disk001.qcow2 is a virtualization target Then you need to change the label on Windows 10-disk001.qcow2' Do # semanage fcontext -a -t virt_image_t '/home/sreyan/virt-manager/Windows.10-disk001.qcow2' # restorecon -v '/home/sreyan/virt-manager/Windows.10-disk001.qcow2' * Plugin catchall (9.59 confidence) suggests ** If you believe that worker should be allowed read access on the Windows 10-disk001.qcow2 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'worker' --raw | audit2allow -M my-worker # semodule -X 300 -i my-worker.pp Additional Information: Source Context unconfined_u:unconfined_r:svirt_t:s0:c239,c999 Target Context system_u:object_r:svirt_image_t:s0:c276,c718 Target Objects /home/sreyan/virt-manager/Windows 10-disk001.qcow2 [ file ] Source worker Source Path worker Port Host localhost.HPNotebook Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.HPNotebook Platform Linux localhost.HPNotebook 5.5.15-200.fc31.x86_64 #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64 x86_64 Alert Count 3 First Seen 2020-05-07 17:34:50 IST Last Seen 2020-05-07 17:34:50 IST Local ID 74764396-5a32-4477-9eea-5e643d89c270 Raw Audit Messages type=AVC msg=audit(1588853090.475:1605): avc: denied { read } for pid=29914 comm="worker" path=2F686F6D652F73726579616E2F766972742D6D616E616765722F57696E646F77732031302D6469736B3030312E71636F7732 dev="dm-2" ino=6684679 scontext=unconfined_u:unconfined_r:svirt_t:s0:c239,c999 tcontext=system_u:object_r:svirt_image_t:s0:c276,c718 tclass=file permissive=0 Hash: worker,svirt_t,svirt_image_t,file,read Should I just BLINDLY run the commands specified ? I don't want to be making exceptions that I don't understand fully. Now what is strange is that it was working fine 2 days back. During that time I have not done any changes. No updates or whatever. So why is this happening all of the sudden? And why the hell is SELinux blocking a file in my /home ? It should be totally safe, why would anyone think this is suspicious ? -- Regards, Sreyan ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org