Re: [libvirt] /var/lib/libvirt/qemu permissions are wrong

On Thu, Jan 09, 2014 at 02:12:20PM -0200, Marcelo Cerri wrote: [This is a copy of the comment I added to that bug] libvirt currently creates the monitor sockets directly in /var/lib/libvirt/qemu/ eg: $ sudo ls -l /var/lib/libvirt/qemu/ total 16 srwxr-xr-x. 1 qemu qemu 0 Jan 6 16:00 builder-rhel6.monitor srwxr-xr-x. 1 qemu qemu 0 Dec 20 22:04 builder-rhel7.monitor [etc] The problem is this doesn't work if we told libvirt to run qemu as another UID, which is possible (albeit undocumented): <seclabel model='dac' type='static'> <label>user:group</label> </seclabel> If you do that you'll find that qemu won't be able to access the monitor socket in some situations. To fix this, libvirt should create a subdirectory per guest. The permissions on /var/lib/libvirt/qemu/ should be relaxed, and the owner or SELinux label of /var/lib/libvirt/qemu/<guestname> should be set so qemu can access it. (I suspect the monitor sockets should really go in /run, but the same arguments apply) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v