On 01/17/2017 04:28 PM, Marc Hartmayer wrote:
On Tue, Jan 17, 2017 at 03:28 PM +0100, Michal Privoznik <mprivozn@redhat.com> wrote:
[Dropping libvirt-announce]
On 01/17/2017 02:51 PM, Boris Fiuczynski wrote:
On 01/17/2017 02:21 PM, Michal Privoznik wrote:
<target bus="scsi" dev="sda" /> </disk> </xml_snippet>
With v2.5.0 everything has worked. I'll take a closer look to it today.
You can try and see if this is a namespace caused issue. Just disable the namespaces and retry. If it succeeds with namespaces disabled, the bug indeed is in my namespaces patches.
btw: to disable namespaces set: namespaces=[] in /etc/libvirt/qemu.conf
Michal
With disabled namespaces the problem does NOT occur.
Okay, can you share the debug logs then please? Both daemon and domain logs.
Michal
Yes - I'll send you also the important part of audit.log (with SELINUX permissive).
Evaluation with some combinations (0 = no, 1 = yes):
| namespace enabled | SELinux enabled | works | |-------------------|-----------------|-------| | 0 | 0 | 1 | | 0 | 1 | 1 | | 1 | 0 | 1 | | 1 | 1 | 0 |
Yeah, I've just managed to reproduce this issue in my environment. And something interesting is happening here: # grep avc /var/log/audit/audit.log type=AVC msg=audit(1484667144.960:323): avc: denied { open } for pid=32367 comm="qemu-kvm" path="/tmp/disk1.qcow2" dev="vda2" ino=17080167 scontext=system_u:system_r:svirt_tcg_t:s0:c551,c756 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file (I've simplified the disk path in my testing compared to your XML). Although, if I disable namespaces I'm still unable to attach the disk. I mean the SELinux is still denying the operation. Michal