[CentOS] Still a kvm problem after 5.6 upgrade

Fri Apr 22 01:47:47 UTC 2011
David McGuffey <davidmcguffey at verizon.net>

On Thu, 2011-04-21 at 21:09 -0400, David McGuffey wrote:
> On Thu, 2011-04-21 at 18:01 +0200, Kenni Lund wrote:
> > 2011/4/21 Johnny Hughes <johnny at centos.org>:
> > > On 04/21/2011 06:11 AM, David McGuffey wrote:
> > >> redlibvirtError: internal error Process exited while reading console log
> > >> output: qemu: could not open disk image /dev/hda
> > >
> > > You should not need to do anything in virsh to dump a file ... there
> > > should be an xml file in /etc/libvirt/qemu/ for every VM already.
> > 
> > The XML-files in /etc/libvirt/qemu represent libvirt defined VMs, you
> > should never edit these files directly while the libvirtd service is
> > running. You should either use 'virsh edit [vm_name]' or alternatively
> > virsh dump followed by virsh define. If you edit the file directly
> > while some manager is running (like virt-manager in CentOS), your
> > changes will most likely conflict with, or get overwritten by,
> > virt-manager. Nothing critical should happen, but I don't see any
> > reason for encouraging doing it The Wrong Way(TM).
> > 
> > Best regards
> > Kenni
> 
> Problem may be an SELinux problem.  Here is the alert. Notice the
> reference to '/dev/hda' (which is the virtual machine boot disk), and
> the SELinux context 'virt_content_t'
> 
> I'm going to create /.autorelable and reboot to ensure the upgrade
> properly relabled the filesystems.
> 
> 
> Summary:
> 
> SELinux is preventing pam_console_app (pam_console_t) "getattr"
> to /dev/hda
> (virt_content_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by pam_console_app. It is not expected
> that this
> access is required by pam_console_app and this access may signal an
> intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for /dev/hda,
> 
> restorecon -v '/dev/hda'
> 

Yep...each time I try to start the VM, sealert increments this error by
one.

I created /.autorelable and rebooted.  SELinux relabeled everything, but
the sealert still fires when I try to start the VM.

I did a qemu-img <path_to_vm>/vm.img and the format is declared 'raw'
Therefore I should not be editing the vm.xml file and changing 'raw' to
'qcow2'

Problem is definately with the SELlnux labels in the 5.6 upgrade.

Dave M