All of a sudden, Virtual Machine Manager (VMM) on a CentOS 5.7 load will no longer run any VMs.
The VM worked A-OK on the morning of 23 Feb, when I brought it up, applied the Microsoft updates, rebooted it, installed an application, rebooted again and ran several tests. Later that day, it wouldn't run. I didn't have time to diagnose, so I did some investigation a few minutes ago.
Working my way through some checks, it appears to be an SELinux problem (new).
[root@desk log]# uname -r 2.6.18-274.18.1.el5
From /var/log/yum.log:
Feb 21 19:07:01 Updated: 2:libpng-1.2.10-15.el5_7.x86_64 Feb 21 19:07:01 Updated: 2:libpng-devel-1.2.10-15.el5_7.x86_64 Feb 21 19:07:01 Updated: 2:libpng-1.2.10-15.el5_7.i386
Previous yum update ran on 19 Feb. However, the virtual machine ran very well on the morning of 23 Feb, when I brought it up, so it can't be any updates from yum on the host.
Here is the VMM Error Message:
Error starting domain: internal error Process exited while reading console log output: qemu: could not open disk image /dev/hda
And the VMM Details:
Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/engine.py", line 501, in run_domain vm.startup() File "/usr/share/virt-manager/virtManager/domain.py", line 576, in startup self.vm.create() File "/usr/lib64/python2.4/site-packages/libvirt.py", line 333, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: internal error Process exited while reading console log output: qemu: could not open disk image /dev/hda
Excerpt from /var/log/messages:
Feb 24 17:25:28 desk libvirtd: 17:25:28.531: error : virDomainDiskDefForeachPath:7637 : unable to open disk path /dev/hda: No medium found Feb 24 17:25:28 desk kernel: tun: Universal TUN/TAP device driver, 1.6 Feb 24 17:25:28 desk kernel: tun: (C) 1999-2004 Max Krasnyansky maxk@qualcomm.com Feb 24 17:25:28 desk kernel: device vnet0 entered promiscuous mode Feb 24 17:25:28 desk kernel: New device vnet0 does not support netpoll Feb 24 17:25:28 desk kernel: Disabling netpoll for virbr0 Feb 24 17:25:28 desk kernel: virbr0: topology change detected, propagating Feb 24 17:25:28 desk kernel: virbr0: port 1(vnet0) entering forwarding state Feb 24 17:25:28 desk kernel: virbr0: port 1(vnet0) entering disabled state Feb 24 17:25:28 desk kernel: virbr0: port 1(vnet0) entering disabled state Feb 24 17:25:28 desk kernel: device vnet0 left promiscuous mode Feb 24 17:25:28 desk kernel: virbr0: port 1(vnet0) entering disabled state Feb 24 17:25:28 desk setroubleshoot: SELinux is preventing pam_console_app (pam_console_t) "getattr" to /dev/hda (virt_content_t). For complete SELinux messages. run sealert -l 9ee6c9a9-3eda-4082-84d3-5741ea9ff688
SELinux alert summary
SELinux is preventing pam_console_app (pam_console_t) "getattr" to /dev/hda (virt_content_t).
Detailed Description:
SELinux denied access requested by pam_console_app. It is not expected that this access is required by pam_console_app and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/hda,
restorecon -v '/dev/hda'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:pam_console_t:SystemLow- SystemHigh Target Context system_u:object_r:virt_content_t Target Objects /dev/hda [ blk_file ] Source pam_console_app Source Path /sbin/pam_console_apply Port <Unknown> Host desk.mcguffeyfamily.net Source RPM Packages internallab pam-0.99.6.2-6.el5_5.2 Target RPM Packages Policy RPM selinux-policy-2.4.6-316.el5_7.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name desk.mcguffeyfamily.net Platform Linux desk.mcguffeyfamily.net 2.6.18-274.18.1.el5 #1 SMP Thu Feb 9 12:45:44 EST 2012 x86_64 x86_64 Alert Count 163 First Seen Wed 13 Apr 2011 08:41:32 AM EDT Last Seen Fri 24 Feb 2012 05:25:28 PM EST Local ID 9ee6c9a9-3eda-4082-84d3-5741ea9ff688 Line Numbers
Raw Audit Messages
host=desk.internallab.net type=AVC msg=audit(1330122328.766:39): avc: denied { getattr } for pid=3427 comm="pam_console_app" path="/dev/hda" dev=tmpfs ino=6316 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file
host=desk.internallab.net type=SYSCALL msg=audit(1330122328.766:39): arch=c000003e syscall=4 success=no exit=-13 a0=7fff56fe6140 a1=7fff56fe6170 a2=7fff56fe6170 a3=c5df105 items=0 ppid=3417 pid=3427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pam_console_app" exe="/sbin/pam_console_apply" subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)
I did a touch /.autorelabel; sync; reboot and received the same error message.
I then followed the guidance in the sealert:
[root@desk log]# restorecon -v /dev/hda restorecon reset /dev/hda context system_u:object_r:virt_content_t:s0->system_u:object_r:fixed_disk_device_t:s0
And tried to start the VM with no success:
[root@desk images]# virsh start Win7-base error: Failed to start domain Win7-base error: internal error Process exited while reading console log output: qemu: could not open disk image /dev/hda
Any thoughts?
Dave