[libvirt-users] libvirt, selinux, moving images to ~/images does not work
Hi! I am trying libvirt on POWERPC64 with the default settings such as selinux enabled. It is all good till I move images out of /var/lib/libvirt/images/. http://libvirt.org/drvqemu.html#securityselinux is saying that "If attempting to use disk images in another location, the user/administrator must ensure the directory has be given this requisite label. Likewise physical block devices must be labelled system_u:object_r:virt_image_t.". So did I: [root@vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images [root@vpl2 ~]# ls -lZ /home/aik/virtimg /var/lib/libvirt/images /home/aik/virtimg: -rwxrwxrwx. root root system_u:object_r:virt_content_t:s0 Fedora-18-ppc64-DVD.iso /var/lib/libvirt/images: -rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest However "virsh -c qemu:///system create libvirtguest-aik.xml" failes with "avc: denied { dac_override }" and "avc: denied { dac_read_search }". Also, there is "user system_u is not defined" in /var/log/messages what is confusing as "semanage user -l" says it is there. If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the problem goes away and everything works fine. I am running custom build 3.8 kernel and libvirt from git ("eebbb23 qemu: support URI syntax for NBD"). More detailed output is below, this is all from the host system. What do I miss? Thank you. [root@vpl2 ~]# tail /var/log/messages Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user system_u is not defined Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user system_u is not defined Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 libvirtd[5041]: failed to connect to monitor socket: No such process [root@vpl2 ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles git_shell_u user s0 s0 git_shell_r guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r [root@vpl2 ~]# tail /var/log/audit/audit.log type=NETFILTER_CFG msg=audit(1365403596.177:4507): table=nat family=2 entries=60 type=NETFILTER_CFG msg=audit(1365403596.177:4508): table=nat family=2 entries=61 type=AVC msg=audit(1365403606.017:4509): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4510): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4511): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4512): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4513): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4514): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4515): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4516): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability [root@vpl2 ~]# libvirtd --version libvirtd (libvirt) 1.0.3 [root@vpl2 ~]# yum info policycoreutils [...] Arch : ppc64 Version : 2.1.13 Release : 59.fc18 Size : 3.8 M [root@vpl2 ~]# cat /etc/fedora-release Fedora release 18 (Spherical Cow) [root@vpl2 ~]# uname -a Linux vpl2.ozlabs.ibm.com 3.8.0-kvm-64k-aik+ #376 SMP Mon Apr 8 14:40:40 EST 2013 ppc64 ppc64 ppc64 GNU/Linux [aik@vpl2 ~]$ cat libvirtguest-aik.xml <domain type='kvm'> <name>AikLibvirtTest</name> <memory>2097152</memory> <vcpu>2</vcpu> <os> <type arch='ppc64' machine='pseries'>hvm</type> <boot dev='cdrom'/> <boot dev='hd'/> </os> <clock offset='utc'/> <devices> <emulator>/usr/local/bin/qemu-system-ppc64</emulator> <disk type='file' device='disk' > <driver name='qemu' type='raw'/> <source file='/var/lib/libvirt/images/fc18guest'/> <target dev='sda' bus='scsi'/> </disk> <disk type='file' device='cdrom' > <driver name='qemu' type='raw'/> <source file='/home/aik/virtimg/Fedora-18-ppc64-DVD.iso'/> <target dev='sdc' bus='scsi'/> <readonly/> </disk> <serial type='pty'> <target port='0'/> </serial> <console type='pty'> <target type='serial' port='0'/> </console> <memballoon model='virtio'/> </devices> </domain> -- Alexey
Hi, im my case , it works. MAC is after DAC, so you should confirm libvird has the permission to your home dir. thanks At 2013-04-08 14:53:36,"Alexey Kardashevskiy" <aik@ozlabs.ru> wrote:
Hi!
I am trying libvirt on POWERPC64 with the default settings such as selinux enabled. It is all good till I move images out of /var/lib/libvirt/images/.
http://libvirt.org/drvqemu.html#securityselinux is saying that "If attempting to use disk images in another location, the user/administrator must ensure the directory has be given this requisite label. Likewise physical block devices must be labelled system_u:object_r:virt_image_t.".
So did I:
[root@vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images
[root@vpl2 ~]# ls -lZ /home/aik/virtimg /var/lib/libvirt/images /home/aik/virtimg: -rwxrwxrwx. root root system_u:object_r:virt_content_t:s0 Fedora-18-ppc64-DVD.iso
/var/lib/libvirt/images: -rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest
However "virsh -c qemu:///system create libvirtguest-aik.xml" failes with "avc: denied { dac_override }" and "avc: denied { dac_read_search }". Also, there is "user system_u is not defined" in /var/log/messages what is confusing as "semanage user -l" says it is there.
If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the problem goes away and everything works fine.
I am running custom build 3.8 kernel and libvirt from git ("eebbb23 qemu: support URI syntax for NBD").
More detailed output is below, this is all from the host system.
What do I miss? Thank you.
[root@vpl2 ~]# tail /var/log/messages Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user system_u is not defined Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user system_u is not defined Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 libvirtd[5041]: failed to connect to monitor socket: No such process
[root@vpl2 ~]# semanage user -l
Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user s0 s0 git_shell_r guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r
[root@vpl2 ~]# tail /var/log/audit/audit.log type=NETFILTER_CFG msg=audit(1365403596.177:4507): table=nat family=2 entries=60 type=NETFILTER_CFG msg=audit(1365403596.177:4508): table=nat family=2 entries=61 type=AVC msg=audit(1365403606.017:4509): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4510): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4511): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4512): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4513): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4514): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4515): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4516): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
[root@vpl2 ~]# libvirtd --version libvirtd (libvirt) 1.0.3 [root@vpl2 ~]# yum info policycoreutils [...] Arch : ppc64 Version : 2.1.13 Release : 59.fc18 Size : 3.8 M
[root@vpl2 ~]# cat /etc/fedora-release Fedora release 18 (Spherical Cow)
[root@vpl2 ~]# uname -a Linux vpl2.ozlabs.ibm.com 3.8.0-kvm-64k-aik+ #376 SMP Mon Apr 8 14:40:40 EST 2013 ppc64 ppc64 ppc64 GNU/Linux
[aik@vpl2 ~]$ cat libvirtguest-aik.xml <domain type='kvm'> <name>AikLibvirtTest</name> <memory>2097152</memory> <vcpu>2</vcpu> <os> <type arch='ppc64' machine='pseries'>hvm</type> <boot dev='cdrom'/> <boot dev='hd'/> </os> <clock offset='utc'/> <devices> <emulator>/usr/local/bin/qemu-system-ppc64</emulator> <disk type='file' device='disk' > <driver name='qemu' type='raw'/> <source file='/var/lib/libvirt/images/fc18guest'/> <target dev='sda' bus='scsi'/> </disk> <disk type='file' device='cdrom' > <driver name='qemu' type='raw'/> <source file='/home/aik/virtimg/Fedora-18-ppc64-DVD.iso'/> <target dev='sdc' bus='scsi'/> <readonly/> </disk> <serial type='pty'> <target port='0'/> </serial> <console type='pty'> <target type='serial' port='0'/> </console> <memballoon model='virtio'/> </devices>
</domain>
-- Alexey
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
Hi! Setting security_driver to "none" (instead of "selinux") fixed the problem so I presumed that selinux is the problem here. But you're right after all, this helped: [root@vpl2 ~]# chmod 777 /home/aik/ [root@vpl2 ~]# chmod 777 /home/aik/virtimg/ Thanks! On 04/08/2013 05:06 PM, yue wrote:
Hi, im my case , it works. MAC is after DAC, so you should confirm libvird has the permission to your home dir.
thanks
At 2013-04-08 14:53:36,"Alexey Kardashevskiy" <aik@ozlabs.ru> wrote:
Hi!
I am trying libvirt on POWERPC64 with the default settings such as selinux enabled. It is all good till I move images out of /var/lib/libvirt/images/.
http://libvirt.org/drvqemu.html#securityselinux is saying that "If attempting to use disk images in another location, the user/administrator must ensure the directory has be given this requisite label. Likewise physical block devices must be labelled system_u:object_r:virt_image_t.".
So did I:
[root@vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images
[root@vpl2 ~]# ls -lZ /home/aik/virtimg /var/lib/libvirt/images /home/aik/virtimg: -rwxrwxrwx. root root system_u:object_r:virt_content_t:s0 Fedora-18-ppc64-DVD.iso
/var/lib/libvirt/images: -rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest
However "virsh -c qemu:///system create libvirtguest-aik.xml" failes with "avc: denied { dac_override }" and "avc: denied { dac_read_search }". Also, there is "user system_u is not defined" in /var/log/messages what is confusing as "semanage user -l" says it is there.
If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the problem goes away and everything works fine.
I am running custom build 3.8 kernel and libvirt from git ("eebbb23 qemu: support URI syntax for NBD").
More detailed output is below, this is all from the host system.
What do I miss? Thank you.
[root@vpl2 ~]# tail /var/log/messages Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user system_u is not defined Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user system_u is not defined Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 libvirtd[5041]: failed to connect to monitor socket: No such process
[root@vpl2 ~]# semanage user -l
Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user s0 s0 git_shell_r guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r
[root@vpl2 ~]# tail /var/log/audit/audit.log type=NETFILTER_CFG msg=audit(1365403596.177:4507): table=nat family=2 entries=60 type=NETFILTER_CFG msg=audit(1365403596.177:4508): table=nat family=2 entries=61 type=AVC msg=audit(1365403606.017:4509): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4510): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4511): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4512): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4513): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4514): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4515): avc: denied { dac_override } for pid=8944 comm="qemu-system-ppc" capability=1 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability type=AVC msg=audit(1365403606.017:4516): avc: denied { dac_read_search } for pid=8944 comm="qemu-system-ppc" capability=2 scontext=system_u:system_r:svirt_t:s0:c574,c809 tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
[root@vpl2 ~]# libvirtd --version libvirtd (libvirt) 1.0.3 [root@vpl2 ~]# yum info policycoreutils [...] Arch : ppc64 Version : 2.1.13 Release : 59.fc18 Size : 3.8 M
[root@vpl2 ~]# cat /etc/fedora-release Fedora release 18 (Spherical Cow)
[root@vpl2 ~]# uname -a Linux vpl2.ozlabs.ibm.com 3.8.0-kvm-64k-aik+ #376 SMP Mon Apr 8 14:40:40 EST 2013 ppc64 ppc64 ppc64 GNU/Linux
[aik@vpl2 ~]$ cat libvirtguest-aik.xml <domain type='kvm'> <name>AikLibvirtTest</name> <memory>2097152</memory> <vcpu>2</vcpu> <os> <type arch='ppc64' machine='pseries'>hvm</type> <boot dev='cdrom'/> <boot dev='hd'/> </os> <clock offset='utc'/> <devices> <emulator>/usr/local/bin/qemu-system-ppc64</emulator> <disk type='file' device='disk' > <driver name='qemu' type='raw'/> <source file='/var/lib/libvirt/images/fc18guest'/> <target dev='sda' bus='scsi'/> </disk> <disk type='file' device='cdrom' > <driver name='qemu' type='raw'/> <source file='/home/aik/virtimg/Fedora-18-ppc64-DVD.iso'/> <target dev='sdc' bus='scsi'/> <readonly/> </disk> <serial type='pty'> <target port='0'/> </serial> <console type='pty'> <target type='serial' port='0'/> </console> <memballoon model='virtio'/> </devices>
</domain>
-- Alexey
On 04/08/2013 01:14 AM, Alexey Kardashevskiy wrote:
Hi!
Setting security_driver to "none" (instead of "selinux") fixed the problem so I presumed that selinux is the problem here. But you're right after all, this helped:
[root@vpl2 ~]# chmod 777 /home/aik/ [root@vpl2 ~]# chmod 777 /home/aik/virtimg/
It may have helped, but it also opened you up to a security hole. You generally don't want permissions to be this wide open on your home directory. Rather, the use of ACLs or group (but not world) permissions should be considered, so that access is granted to the qemu group but not to the world. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 04/09/2013 06:09 AM, Eric Blake wrote:
On 04/08/2013 01:14 AM, Alexey Kardashevskiy wrote:
Hi!
Setting security_driver to "none" (instead of "selinux") fixed the problem so I presumed that selinux is the problem here. But you're right after all, this helped:
[root@vpl2 ~]# chmod 777 /home/aik/ [root@vpl2 ~]# chmod 777 /home/aik/virtimg/
It may have helped, but it also opened you up to a security hole. You generally don't want permissions to be this wide open on your home directory. Rather, the use of ACLs or group (but not world) permissions should be considered, so that access is granted to the qemu group but not to the world.
Yes, right, my point was that it is not always first DAC and only then MAC. Here it is domain type check, then DAC user access check and only then MAC user access check, correct?. -- Alexey
participants (3)
-
Alexey Kardashevskiy -
Eric Blake -
yue