[CentOS] Still a kvm problem after 5.6 upgrade

Fri Apr 22 10:18:00 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

Hash: SHA1

On 04/21/2011 09:47 PM, David McGuffey wrote:
> On Thu, 2011-04-21 at 21:09 -0400, David McGuffey wrote:
>> On Thu, 2011-04-21 at 18:01 +0200, Kenni Lund wrote:
>>> 2011/4/21 Johnny Hughes <johnny at centos.org>:
>>>> On 04/21/2011 06:11 AM, David McGuffey wrote:
>>>>> redlibvirtError: internal error Process exited while reading console log
>>>>> output: qemu: could not open disk image /dev/hda
>>>> You should not need to do anything in virsh to dump a file ... there
>>>> should be an xml file in /etc/libvirt/qemu/ for every VM already.
>>> The XML-files in /etc/libvirt/qemu represent libvirt defined VMs, you
>>> should never edit these files directly while the libvirtd service is
>>> running. You should either use 'virsh edit [vm_name]' or alternatively
>>> virsh dump followed by virsh define. If you edit the file directly
>>> while some manager is running (like virt-manager in CentOS), your
>>> changes will most likely conflict with, or get overwritten by,
>>> virt-manager. Nothing critical should happen, but I don't see any
>>> reason for encouraging doing it The Wrong Way(TM).
>>> Best regards
>>> Kenni
>> Problem may be an SELinux problem.  Here is the alert. Notice the
>> reference to '/dev/hda' (which is the virtual machine boot disk), and
>> the SELinux context 'virt_content_t'
>> I'm going to create /.autorelable and reboot to ensure the upgrade
>> properly relabled the filesystems.
>> Summary:
>> SELinux is preventing pam_console_app (pam_console_t) "getattr"
>> to /dev/hda
>> (virt_content_t).
>> Detailed Description:
>> SELinux denied access requested by pam_console_app. It is not expected
>> that this
>> access is required by pam_console_app and this access may signal an
>> intrusion
>> attempt. It is also possible that the specific version or configuration
>> of the
>> application is causing it to require additional access.
>> Allowing Access:
>> Sometimes labeling problems can cause SELinux denials. You could try to
>> restore
>> the default system file context for /dev/hda,
>> restorecon -v '/dev/hda'
> Yep...each time I try to start the VM, sealert increments this error by
> one.
> I created /.autorelable and rebooted.  SELinux relabeled everything, but
> the sealert still fires when I try to start the VM.
> I did a qemu-img <path_to_vm>/vm.img and the format is declared 'raw'
> Therefore I should not be editing the vm.xml file and changing 'raw' to
> 'qcow2'
> Problem is definately with the SELlnux labels in the 5.6 upgrade.
> Dave M
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
This is an SELinux issue.  It really has no effect on the virtual
machine.  The problem is the label is not something pam_console policy
expected to have on a blk device.
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/