7:23 a.m.
9:27 a.m.
On 08/05/2014 05:23 PM, Jianfeng Tang wrote:
However, if I moved my image file (not base image) to default location
/var/lib/libvirt/images. It works.
It seems something related to selinux. However, my box seems not have
selinux installed at all.
It's probably AppArmor, not SELinux; but the concepts are the same - if
you have a mandatory access control that libvirt can use, then you have
to make sure that non-default locations are permitted through your
control mechanism, in order for libvirt sVirt protections to work with
your layout.
Anyone knows how to fix this?
Sadly, I don't use AppArmor myself to offer actual advice on it.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
12:02 a.m.
Thank you Eric. Yes, it looks like AppArmor caused the problem. I will
google on how to disable it.
On 8/5/14 8:27 PM, "Eric Blake" <eblake(a)redhat.com> wrote:
On 08/05/2014 05:23 PM, Jianfeng Tang wrote:
>
> However, if I moved my image file (not base image) to default location
> /var/lib/libvirt/images. It works.
>
> It seems something related to selinux. However, my box seems not have
> selinux installed at all.
It's probably AppArmor, not SELinux; but the concepts are the same - if
you have a mandatory access control that libvirt can use, then you have
to make sure that non-default locations are permitted through your
control mechanism, in order for libvirt sVirt protections to work with
your layout.
>
> Anyone knows how to fix this?
Sadly, I don't use AppArmor myself to offer actual advice on it.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
12:18 a.m.
On 08/06/2014 10:02 AM, Jianfeng Tang wrote:
Thank you Eric. Yes, it looks like AppArmor caused the problem. I
will
google on how to disable it.
That feels wrong. "My security process is preventing me from doing
something wrong because I didn't configure it to match my usage
patterns, so I'm going to disable security". Rather, you should google
for how to add additional storage pools to what AppArmor will allow, so
that you can continue to have a secure setup. (I feel the same way
about people that complain that SELinux prevented them from doing
something, so they disable SELinux instead of fixing their process to
use SELinux correctly)
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
3:09 a.m.
Agree. I did a little research. For those who hit this issue, it works
after I modified /etc/apparmor.d/abstractions/libvirt-qemu to include the
backing store directory.
On 8/6/14 11:18 AM, "Eric Blake" <eblake(a)redhat.com> wrote:
On 08/06/2014 10:02 AM, Jianfeng Tang wrote:
> Thank you Eric. Yes, it looks like AppArmor caused the problem. I will
> google on how to disable it.
That feels wrong. "My security process is preventing me from doing
something wrong because I didn't configure it to match my usage
patterns, so I'm going to disable security". Rather, you should google
for how to add additional storage pools to what AppArmor will allow, so
that you can continue to have a secure setup. (I feel the same way
about people that complain that SELinux prevented them from doing
something, so they disable SELinux instead of fixing their process to
use SELinux correctly)
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
3685
days inactive
3686
days old
4 comments
2 participants
participants (2)
-
Eric Blake -
Jianfeng Tang