[CentOS] Still a kvm problem after 5.6 upgrade

Fri Apr 22 01:09:19 UTC 2011
David McGuffey <davidmcguffey at verizon.net>

On Thu, 2011-04-21 at 18:01 +0200, Kenni Lund wrote:
> 2011/4/21 Johnny Hughes <johnny at centos.org>:
> > On 04/21/2011 06:11 AM, David McGuffey wrote:
> >> redlibvirtError: internal error Process exited while reading console log
> >> output: qemu: could not open disk image /dev/hda
> >
> > You should not need to do anything in virsh to dump a file ... there
> > should be an xml file in /etc/libvirt/qemu/ for every VM already.
> The XML-files in /etc/libvirt/qemu represent libvirt defined VMs, you
> should never edit these files directly while the libvirtd service is
> running. You should either use 'virsh edit [vm_name]' or alternatively
> virsh dump followed by virsh define. If you edit the file directly
> while some manager is running (like virt-manager in CentOS), your
> changes will most likely conflict with, or get overwritten by,
> virt-manager. Nothing critical should happen, but I don't see any
> reason for encouraging doing it The Wrong Way(TM).
> Best regards
> Kenni

Problem may be an SELinux problem.  Here is the alert. Notice the
reference to '/dev/hda' (which is the virtual machine boot disk), and
the SELinux context 'virt_content_t'

I'm going to create /.autorelable and reboot to ensure the upgrade
properly relabled the filesystems.


SELinux is preventing pam_console_app (pam_console_t) "getattr"
to /dev/hda

Detailed Description:

SELinux denied access requested by pam_console_app. It is not expected
that this
access is required by pam_console_app and this access may signal an
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
the default system file context for /dev/hda,

restorecon -v '/dev/hda'

If this does not work, there is currently no automatic way to allow this
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
SELinux protection altogether. Disabling SELinux protection is not
Please file a bug report
against this package.

Additional Information:

Source Context                system_u:system_r:pam_console_t:SystemLow-
Target Context                system_u:object_r:virt_content_t
Target Objects                /dev/hda [ blk_file ]
Source                        pam_console_app
Source Path                   /sbin/pam_console_apply
Port                          <Unknown>
Host                          desk at mydomain.net
Source RPM Packages           pam-
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-300.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                      desk at mydomain.net
Platform                      Linux  desk at mydomain.net
                              #1 SMP Tue Apr 12 18:10:13 EDT 2011 x86_64
Alert Count                   48
First Seen                    Wed 13 Apr 2011 08:41:32 AM EDT
Last Seen                     Thu 21 Apr 2011 07:05:23 AM EDT
Local ID                      9ee6c9a9-3eda-4082-84d3-5741ea9ff688
Line Numbers                  

Raw Audit Messages            

host= desk at mydomain.net type=AVC msg=audit(1303383923.130:356): avc:
denied  { getattr } for  pid=15025 comm="pam_console_app"
path="/dev/hda" dev=tmpfs ino=6206
tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file

host= desk at mydomain.net type=SYSCALL msg=audit(1303383923.130:356):
arch=c000003e syscall=4 success=no exit=-13 a0=7fff2014b170
a1=7fff2014b1a0 a2=7fff2014b1a0 a3=18cba490 items=0 ppid=15014 pid=15025
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="pam_console_app"
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)

Dave M