[CentOS] Still a kvm problem after 5.6 upgrade

Fri Apr 22 01:09:19 UTC 2011
David McGuffey <davidmcguffey at verizon.net>

On Thu, 2011-04-21 at 18:01 +0200, Kenni Lund wrote:
> 2011/4/21 Johnny Hughes <johnny at centos.org>:
> > On 04/21/2011 06:11 AM, David McGuffey wrote:
> >> redlibvirtError: internal error Process exited while reading console log
> >> output: qemu: could not open disk image /dev/hda
> >
> > You should not need to do anything in virsh to dump a file ... there
> > should be an xml file in /etc/libvirt/qemu/ for every VM already.
> 
> The XML-files in /etc/libvirt/qemu represent libvirt defined VMs, you
> should never edit these files directly while the libvirtd service is
> running. You should either use 'virsh edit [vm_name]' or alternatively
> virsh dump followed by virsh define. If you edit the file directly
> while some manager is running (like virt-manager in CentOS), your
> changes will most likely conflict with, or get overwritten by,
> virt-manager. Nothing critical should happen, but I don't see any
> reason for encouraging doing it The Wrong Way(TM).
> 
> Best regards
> Kenni

Problem may be an SELinux problem.  Here is the alert. Notice the
reference to '/dev/hda' (which is the virtual machine boot disk), and
the SELinux context 'virt_content_t'

I'm going to create /.autorelable and reboot to ensure the upgrade
properly relabled the filesystems.


Summary:

SELinux is preventing pam_console_app (pam_console_t) "getattr"
to /dev/hda
(virt_content_t).

Detailed Description:

SELinux denied access requested by pam_console_app. It is not expected
that this
access is required by pam_console_app and this access may signal an
intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for /dev/hda,

restorecon -v '/dev/hda'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:pam_console_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:virt_content_t
Target Objects                /dev/hda [ blk_file ]
Source                        pam_console_app
Source Path                   /sbin/pam_console_apply
Port                          <Unknown>
Host                          desk at mydomain.net
Source RPM Packages           pam-0.99.6.2-6.el5_5.2
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-300.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                      desk at mydomain.net
Platform                      Linux  desk at mydomain.net
2.6.18-238.9.1.el5
                              #1 SMP Tue Apr 12 18:10:13 EDT 2011 x86_64
x86_64
Alert Count                   48
First Seen                    Wed 13 Apr 2011 08:41:32 AM EDT
Last Seen                     Thu 21 Apr 2011 07:05:23 AM EDT
Local ID                      9ee6c9a9-3eda-4082-84d3-5741ea9ff688
Line Numbers                  

Raw Audit Messages            

host= desk at mydomain.net type=AVC msg=audit(1303383923.130:356): avc:
denied  { getattr } for  pid=15025 comm="pam_console_app"
path="/dev/hda" dev=tmpfs ino=6206
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file

host= desk at mydomain.net type=SYSCALL msg=audit(1303383923.130:356):
arch=c000003e syscall=4 success=no exit=-13 a0=7fff2014b170
a1=7fff2014b1a0 a2=7fff2014b1a0 a3=18cba490 items=0 ppid=15014 pid=15025
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="pam_console_app"
exe="/sbin/pam_console_apply"
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)

Dave M