[CentOS] Still a kvm problem after 5.6 upgrade
David McGuffey
davidmcguffey at verizon.net
Fri Apr 22 01:09:19 UTC 2011
On Thu, 2011-04-21 at 18:01 +0200, Kenni Lund wrote:
> 2011/4/21 Johnny Hughes <johnny at centos.org>:
> > On 04/21/2011 06:11 AM, David McGuffey wrote:
> >> redlibvirtError: internal error Process exited while reading console log
> >> output: qemu: could not open disk image /dev/hda
> >
> > You should not need to do anything in virsh to dump a file ... there
> > should be an xml file in /etc/libvirt/qemu/ for every VM already.
>
> The XML-files in /etc/libvirt/qemu represent libvirt defined VMs, you
> should never edit these files directly while the libvirtd service is
> running. You should either use 'virsh edit [vm_name]' or alternatively
> virsh dump followed by virsh define. If you edit the file directly
> while some manager is running (like virt-manager in CentOS), your
> changes will most likely conflict with, or get overwritten by,
> virt-manager. Nothing critical should happen, but I don't see any
> reason for encouraging doing it The Wrong Way(TM).
>
> Best regards
> Kenni
Problem may be an SELinux problem. Here is the alert. Notice the
reference to '/dev/hda' (which is the virtual machine boot disk), and
the SELinux context 'virt_content_t'
I'm going to create /.autorelable and reboot to ensure the upgrade
properly relabled the filesystems.
Summary:
SELinux is preventing pam_console_app (pam_console_t) "getattr"
to /dev/hda
(virt_content_t).
Detailed Description:
SELinux denied access requested by pam_console_app. It is not expected
that this
access is required by pam_console_app and this access may signal an
intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for /dev/hda,
restorecon -v '/dev/hda'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:pam_console_t:SystemLow-
SystemHigh
Target Context system_u:object_r:virt_content_t
Target Objects /dev/hda [ blk_file ]
Source pam_console_app
Source Path /sbin/pam_console_apply
Port <Unknown>
Host desk at mydomain.net
Source RPM Packages pam-0.99.6.2-6.el5_5.2
Target RPM Packages
Policy RPM selinux-policy-2.4.6-300.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name desk at mydomain.net
Platform Linux desk at mydomain.net
2.6.18-238.9.1.el5
#1 SMP Tue Apr 12 18:10:13 EDT 2011 x86_64
x86_64
Alert Count 48
First Seen Wed 13 Apr 2011 08:41:32 AM EDT
Last Seen Thu 21 Apr 2011 07:05:23 AM EDT
Local ID 9ee6c9a9-3eda-4082-84d3-5741ea9ff688
Line Numbers
Raw Audit Messages
host= desk at mydomain.net type=AVC msg=audit(1303383923.130:356): avc:
denied { getattr } for pid=15025 comm="pam_console_app"
path="/dev/hda" dev=tmpfs ino=6206
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file
host= desk at mydomain.net type=SYSCALL msg=audit(1303383923.130:356):
arch=c000003e syscall=4 success=no exit=-13 a0=7fff2014b170
a1=7fff2014b1a0 a2=7fff2014b1a0 a3=18cba490 items=0 ppid=15014 pid=15025
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="pam_console_app"
exe="/sbin/pam_console_apply"
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)
Dave M
More information about the CentOS
mailing list