View Issue Details

IDProjectCategoryView StatusLast Update
0017338CentOS-7virt-managerpublic2020-05-08 18:50
Reporterndroftheline 
PrioritylowSeverityminorReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentosOS Version7
Product Version7.8-2003 
Target VersionFixed in Version 
Summary0017338: Unable to use ISO located on Samba share to install VM
DescriptionIn the ISO selection screen when creating a new VM using Virtual Machine Manager, I click Browse > Browse Local > Other Locations > under "Networks" I select my already-mounted samba share and navigate to the correct subfolder, pick my torrent-downloaded and verified Centos 7 DVD iso, click Open button. It drops me back to the "New VM" dialogue, where it apparently is unable to detect the OS type; manually specify Linux/Centos 7, click forward, and get this error: "Validating install media '/run/usr/1000/gvfs/smb-share:server=192.168.11.60,share=media/Installers/OSes/Centos-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso' failed: Could not start storage pool: cannot open directory 'run/user/1000/gvfs/smb-share:server=192.168.11.60,share=media/Installers/OSes/Centos-7-x86_64-DVD-2003': Permission denied. However manually mounting the same Samba share in my home folder, and in Browse > Browse Local, selecting my home directrory, the mount point, the subfolder, and the same ISO works perfectly.
Steps To Reproduce1. Attempt to use a gvfs-mounted Samba share to pick an install ISO using VMM
TagsNo tags attached.
abrt_hash
URL

Activities

ndroftheline

ndroftheline

2020-05-06 20:11

reporter   ~0036881

well. i'm afraid i was being optimistic when i said "works perfectly". i tried to create the VM and hit more permissions errors relating to the cifs mounted ISO share:

Unable to complete install: 'internal error: qemu unexpectedly closed the monitor: 2020-05-06T20:04:16.754306Z qemu-kvm: -drive file=/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on: could not open disk image /mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso: Could not open '/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso': Permission denied'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 89, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/create.py", line 2552, in _do_async_install
    guest.start_install(meter=meter)
  File "/usr/share/virt-manager/virtinst/guest.py", line 495, in start_install
    doboot, transient)
  File "/usr/share/virt-manager/virtinst/guest.py", line 431, in _create_guest
    domain = self.conn.createXML(install_xml or final_xml, 0)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 3725, in createXML
    if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self)
libvirtError: internal error: qemu unexpectedly closed the monitor: 2020-05-06T20:04:16.754306Z qemu-kvm: -drive file=/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on: could not open disk image /mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso: Could not open '/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso': Permission denied

so it's obviously getting a permission denied error, but i can browse to that ISO, even rename it and create new files in its directory, using the Files file manager.

i have also investigated the entire path and i'm seeing 755 permissions for every folder all the way down to the ISO, including the ISO itself:

[ndr-local@pck232 ndr-local]$ ll -d /mp0
drwxr-xr-x. 2 root root 0 Jan 22 11:46 /mp0
[ndr-local@pck232 ndr-local]$ ll -d /mp0
drwxr-xr-x. 2 root root 0 Jan 22 11:46 /mp0
[ndr-local@pck232 ndr-local]$ ll -d /mp0/template
drwxr-xr-x. 2 root root 0 Feb 22 15:29 /mp0/template
[ndr-local@pck232 ndr-local]$ ll -d /mp0/template/iso
drwxr-xr-x. 2 root root 0 May 6 07:10 /mp0/template/iso
[ndr-local@pck232 ndr-local]$ ll -d /mp0/template/iso/CentOS-7-x86_64-DVD-2003
drwxr-xr-x. 2 root root 0 May 6 07:16 /mp0/template/iso/CentOS-7-x86_64-DVD-2003
[ndr-local@pck232 ndr-local]$ ll /mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso
-rwxr-xr-x. 1 root root 4781506560 May 6 07:19 /mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso

this of course may be a separate problem from my original query, but i'm not sure.

thanks!
ManuelWolfshant

ManuelWolfshant

2020-05-06 23:03

manager   ~0036882

Last edited: 2020-05-06 23:05

View 2 revisions

What do the commands ' aureport -a ' and ' getsebool -a|grep "cif\|qem" ' come back with ?

ndroftheline

ndroftheline

2020-05-07 17:36

reporter   ~0036892

Hi Manuel, thanks kindly for your response, here it is:

[code]
$ sudo aureport -a
[sudo] password for ndr-local:

AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 07/05/20 07:21:03 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 33
2. 07/05/20 07:36:13 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 33
3. 06/05/20 06:52:47 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 34
4. 06/05/20 07:01:22 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 35
5. 06/05/20 07:07:59 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 35
6. 06/05/20 07:51:36 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 36
7. 06/05/20 09:20:50 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 29
8. 06/05/20 09:21:09 geoclue system_u:system_r:geoclue_t:s0 2 dir search system_u:system_r:unconfined_service_t:s0 denied 169
9. 06/05/20 09:21:10 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 dbus send_msg system_u:system_r:boltd_t:s0 denied 170
10. 06/05/20 09:21:10 geoclue system_u:system_r:geoclue_t:s0 2 dir search system_u:system_r:unconfined_service_t:s0 denied 171
11. 07/05/20 07:50:05 qemu-kvm system_u:system_r:svirt_t:s0:c229,c415 2 file open system_u:object_r:cifs_t:s0 denied 10452
12. 07/05/20 07:50:05 qemu-kvm system_u:system_r:svirt_t:s0:c229,c415 2 file open system_u:object_r:cifs_t:s0 denied 10453
13. 07/05/20 07:50:05 qemu-kvm system_u:system_r:svirt_t:s0:c229,c415 2 file open system_u:object_r:cifs_t:s0 denied 10454
14. 07/05/20 07:52:43 qemu-kvm system_u:system_r:svirt_t:s0:c651,c684 2 file open system_u:object_r:cifs_t:s0 denied 10521
15. 07/05/20 07:52:43 qemu-kvm system_u:system_r:svirt_t:s0:c651,c684 2 file open system_u:object_r:cifs_t:s0 denied 10522
16. 07/05/20 07:52:43 qemu-kvm system_u:system_r:svirt_t:s0:c651,c684 2 file open system_u:object_r:cifs_t:s0 denied 10523
17. 07/05/20 07:56:59 qemu-kvm system_u:system_r:svirt_t:s0:c66,c947 2 file open system_u:object_r:cifs_t:s0 denied 10581
18. 07/05/20 07:56:59 qemu-kvm system_u:system_r:svirt_t:s0:c66,c947 2 file open system_u:object_r:cifs_t:s0 denied 10582
19. 07/05/20 07:56:59 qemu-kvm system_u:system_r:svirt_t:s0:c66,c947 2 file open system_u:object_r:cifs_t:s0 denied 10583
20. 07/05/20 08:04:16 qemu-kvm system_u:system_r:svirt_t:s0:c85,c829 2 file open system_u:object_r:cifs_t:s0 denied 10710
21. 07/05/20 08:04:16 qemu-kvm system_u:system_r:svirt_t:s0:c85,c829 2 file open system_u:object_r:cifs_t:s0 denied 10711
22. 07/05/20 08:04:16 qemu-kvm system_u:system_r:svirt_t:s0:c85,c829 2 file open system_u:object_r:cifs_t:s0 denied 10712
[/code]

[code]
$ sudo getsebool -a|grep "cif\|qem"
cobbler_use_cifs --> off
ftpd_use_cifs --> off
git_cgi_use_cifs --> off
git_system_use_cifs --> off
httpd_use_cifs --> off
ksmtuned_use_cifs --> off
mpd_use_cifs --> off
polipo_use_cifs --> off
tmpreaper_use_cifs --> off
virt_read_qemu_ga_data --> off
virt_rw_qemu_ga_data --> off
xend_run_qemu --> on
[/code]

Please excuse my rustiness with CentOS. I had a look through the SELinux Alert Browser and discovered this alert which might be just about on the money:

[code]
SELinux is preventing /usr/libexec/qemu-kvm from open access on the file /home/micah-local/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso.

***** Plugin qemu_file_image (53.1 confidence) suggests *******************

If CentOS-7-x86_64-DVD-2003.iso is a virtualization target
Then you need to change the label on CentOS-7-x86_64-DVD-2003.iso'
Do
# semanage fcontext -a -t virt_image_t '/home/micah-local/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso'
# restorecon -v '/home/micah-local/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso'

***** Plugin catchall_boolean (42.6 confidence) suggests ******************

If you want to allow virt to use samba
Then you must tell SELinux about this by enabling the 'virt_use_samba' boolean.

Do
setsebool -P virt_use_samba 1

***** Plugin catchall (5.76 confidence) suggests **************************

If you believe that qemu-kvm should be allowed open access on the CentOS-7-x86_64-DVD-2003.iso file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm
# semodule -i my-qemukvm.pp

Additional Information:
Source Context system_u:system_r:svirt_t:s0:c229,c415
Target Context system_u:object_r:cifs_t:s0
Target Objects /home/micah-local/mp0/template/iso/CentOS-7-x86_64
                              -DVD-2003/CentOS-7-x86_64-DVD-2003.iso [ file ]
Source qemu-kvm
Source Path /usr/libexec/qemu-kvm
Port <Unknown>
Host pck232.ndgm.co
Source RPM Packages qemu-kvm-1.5.3-173.el7_8.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-266.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name pck232.ndgm.co
Platform Linux pck232.ndgm.co 3.10.0-1127.el7.x86_64 #1 SMP
                              Tue Mar 31 23:36:51 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-05-07 07:50:05 NZST
Last Seen 2020-05-07 07:50:05 NZST
Local ID abcec2a8-c418-4143-93b5-e6815725e0bc

Raw Audit Messages
type=AVC msg=audit(1588794605.251:10454): avc: denied { open } for pid=2839 comm="qemu-kvm" path="/home/micah-local/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso" dev="cifs" ino=662527 scontext=system_u:system_r:svirt_t:s0:c229,c415 tcontext=system_u:object_r:cifs_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1588794605.251:10454): arch=x86_64 syscall=open success=no exit=EACCES a0=5593266c1920 a1=80000 a2=0 a3=55932676e400 items=0 ppid=1 pid=2839 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c229,c415 key=(null)

Hash: qemu-kvm,svirt_t,cifs_t,file,open
[/code]
ndroftheline

ndroftheline

2020-05-07 17:53

reporter   ~0036893

Yes, running

    $ sudo setsebool -P virt_use_samba 1

enabled me to use the manually-mounted cifs share to specify my ISO and launch the VM. My inability to resolve that myself is due to my inexperience, but the error behaviour could have been more informative; I am open to opinions on whether it's a valuable exercise to report the lack of clarity in the error as a bug.

Regardless, the original behaviour with gvfs remains; VMM is still unable to read an ISO on a share mounted that way. No SELinux alert is generated when I arrive at the error originally reported.
ManuelWolfshant

ManuelWolfshant

2020-05-07 18:38

manager   ~0036894

please run "service auditd rotate" , trigger the error again and then look again at the selinux logs. I suspect you will still see relevant selinux denials .
ndroftheline

ndroftheline

2020-05-07 19:43

reporter   ~0036895

Thanks again ManuelWolfshant, appreciate your continued participation in this bug.

Unfortunately, even after rotating the logs, no further selinux denials are logged when triggering the error.

I have gone ahead and made a video in case it helps to clarify the way I'm arriving at this behaviour, and uploaded it here.

I believe the avc report entries from today's date (08/05/2020) relate to:
- I have an NVME drive in this host, smartd may not work with it (smartd)
- I disabled location sharing when finishing the installation of CentOS (geoclue)
- I was playing around with trying to change my user's display name before making the video (accounts-daemon)

As a review of the process to trigger this error, I am:

1. Mounting an SMB share via Files ( Files > + Other Locations > in "Connect to Server" box, type "smb://server/share", click Connect > provide credentials
2. Opening VMM > new VM button > select Local install media, Forward > select Use ISO image, click Browse... button > click Browse Local button > Other Locations > select server > navigate to ISO, select it and click Open
3. Note that OS type and Version are not detected, click Forward to arrive at error reported, also attached here as a screenshot

Thanks again.

centos7-gvfs-iso-error.PNG (151,387 bytes)
centos7-gvfs-iso-error.PNG (151,387 bytes)
ndroftheline

ndroftheline

2020-05-07 19:47

reporter   ~0036896

Ah, my video file was 8mb so wouldn't attach, didn't catch that in time. In case it matters, you can try this: https://nextcloud.ndgm.co/s/EWPELGHQYGk6apA
ManuelWolfshant

ManuelWolfshant

2020-05-07 21:37

manager   ~0036897

Please retry after switching selinux to permissive ( and if it still fails, disabled ). I want to be very sure that we are not dealing with a dontaudited selinux denial.
ndroftheline

ndroftheline

2020-05-08 17:58

reporter   ~0036900

Changed to permissive, no change in behaviour. Disabled selinux, rebooted, still getting that same error message behaviour out of VMM.

Is it worthwhile to try virt-install for more useful error messages?

How do I format my bug notes so these code blocks are easier to distinguish from conversation? Or is there a different preferred way of sending longer output like this?
ManuelWolfshant

ManuelWolfshant

2020-05-08 18:50

manager   ~0036901

Last edited: 2020-05-08 18:50

View 2 revisions

dang! I was hoping that it was a selinux issue , would have been easier to fix. So I guess some permissions are incorrect or something interprets incorrectly the permissions along the way. Next step would be some debugging with the help of strace ( something along strace -f -e open )

Issue History

Date Modified Username Field Change
2020-05-06 17:51 ndroftheline New Issue
2020-05-06 20:11 ndroftheline Note Added: 0036881
2020-05-06 23:03 ManuelWolfshant Note Added: 0036882
2020-05-06 23:05 ManuelWolfshant Note Edited: 0036882 View Revisions
2020-05-07 17:36 ndroftheline Note Added: 0036892
2020-05-07 17:53 ndroftheline Note Added: 0036893
2020-05-07 18:38 ManuelWolfshant Note Added: 0036894
2020-05-07 19:43 ndroftheline File Added: centos7-gvfs-iso-error.PNG
2020-05-07 19:43 ndroftheline Note Added: 0036895
2020-05-07 19:47 ndroftheline Note Added: 0036896
2020-05-07 21:37 ManuelWolfshant Note Added: 0036897
2020-05-08 17:58 ndroftheline Note Added: 0036900
2020-05-08 18:50 ManuelWolfshant Note Added: 0036901
2020-05-08 18:50 ManuelWolfshant Note Edited: 0036901 View Revisions