 |
well. i'm afraid i was being optimistic when i said "works perfectly". i tried to create the VM and hit more permissions errors relating to the cifs mounted ISO share: Unable to complete install: 'internal error: qemu unexpectedly closed the monitor: 2020-05-06T20:04:16.754306Z qemu-kvm: -drive file=/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on: could not open disk image /mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso: Could not open '/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso': Permission denied' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 89, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/create.py", line 2552, in _do_async_install guest.start_install(meter=meter) File "/usr/share/virt-manager/virtinst/guest.py", line 495, in start_install doboot, transient) File "/usr/share/virt-manager/virtinst/guest.py", line 431, in _create_guest domain = self.conn.createXML(install_xml or final_xml, 0) File "/usr/lib64/python2.7/site-packages/libvirt.py", line 3725, in createXML if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self) libvirtError: internal error: qemu unexpectedly closed the monitor: 2020-05-06T20:04:16.754306Z qemu-kvm: -drive file=/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on: could not open disk image /mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso: Could not open '/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso': Permission denied so it's obviously getting a permission denied error, but i can browse to that ISO, even rename it and create new files in its directory, using the Files file manager. i have also investigated the entire path and i'm seeing 755 permissions for every folder all the way down to the ISO, including the ISO itself: [ndr-local@pck232 ndr-local]$ ll -d /mp0 drwxr-xr-x. 2 root root 0 Jan 22 11:46 /mp0 [ndr-local@pck232 ndr-local]$ ll -d /mp0 drwxr-xr-x. 2 root root 0 Jan 22 11:46 /mp0 [ndr-local@pck232 ndr-local]$ ll -d /mp0/template drwxr-xr-x. 2 root root 0 Feb 22 15:29 /mp0/template [ndr-local@pck232 ndr-local]$ ll -d /mp0/template/iso drwxr-xr-x. 2 root root 0 May 6 07:10 /mp0/template/iso [ndr-local@pck232 ndr-local]$ ll -d /mp0/template/iso/CentOS-7-x86_64-DVD-2003 drwxr-xr-x. 2 root root 0 May 6 07:16 /mp0/template/iso/CentOS-7-x86_64-DVD-2003 [ndr-local@pck232 ndr-local]$ ll /mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso -rwxr-xr-x. 1 root root 4781506560 May 6 07:19 /mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso this of course may be a separate problem from my original query, but i'm not sure. thanks! |
 |
What do the commands ' aureport -a ' and ' getsebool -a|grep "cif\|qem" ' come back with ? |
|
|
Hi Manuel, thanks kindly for your response, here it is: [code] $ sudo aureport -a [sudo] password for ndr-local: AVC Report =============================================================== # date time comm subj syscall class permission obj result event =============================================================== 1. 07/05/20 07:21:03 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 33 2. 07/05/20 07:36:13 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 33 3. 06/05/20 06:52:47 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 34 4. 06/05/20 07:01:22 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 35 5. 06/05/20 07:07:59 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 35 6. 06/05/20 07:51:36 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 36 7. 06/05/20 09:20:50 smartd system_u:system_r:fsdaemon_t:s0 2 chr_file read system_u:object_r:nvme_device_t:s0 denied 29 8. 06/05/20 09:21:09 geoclue system_u:system_r:geoclue_t:s0 2 dir search system_u:system_r:unconfined_service_t:s0 denied 169 9. 06/05/20 09:21:10 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 dbus send_msg system_u:system_r:boltd_t:s0 denied 170 10. 06/05/20 09:21:10 geoclue system_u:system_r:geoclue_t:s0 2 dir search system_u:system_r:unconfined_service_t:s0 denied 171 11. 07/05/20 07:50:05 qemu-kvm system_u:system_r:svirt_t:s0:c229,c415 2 file open system_u:object_r:cifs_t:s0 denied 10452 12. 07/05/20 07:50:05 qemu-kvm system_u:system_r:svirt_t:s0:c229,c415 2 file open system_u:object_r:cifs_t:s0 denied 10453 13. 07/05/20 07:50:05 qemu-kvm system_u:system_r:svirt_t:s0:c229,c415 2 file open system_u:object_r:cifs_t:s0 denied 10454 14. 07/05/20 07:52:43 qemu-kvm system_u:system_r:svirt_t:s0:c651,c684 2 file open system_u:object_r:cifs_t:s0 denied 10521 15. 07/05/20 07:52:43 qemu-kvm system_u:system_r:svirt_t:s0:c651,c684 2 file open system_u:object_r:cifs_t:s0 denied 10522 16. 07/05/20 07:52:43 qemu-kvm system_u:system_r:svirt_t:s0:c651,c684 2 file open system_u:object_r:cifs_t:s0 denied 10523 17. 07/05/20 07:56:59 qemu-kvm system_u:system_r:svirt_t:s0:c66,c947 2 file open system_u:object_r:cifs_t:s0 denied 10581 18. 07/05/20 07:56:59 qemu-kvm system_u:system_r:svirt_t:s0:c66,c947 2 file open system_u:object_r:cifs_t:s0 denied 10582 19. 07/05/20 07:56:59 qemu-kvm system_u:system_r:svirt_t:s0:c66,c947 2 file open system_u:object_r:cifs_t:s0 denied 10583 20. 07/05/20 08:04:16 qemu-kvm system_u:system_r:svirt_t:s0:c85,c829 2 file open system_u:object_r:cifs_t:s0 denied 10710 21. 07/05/20 08:04:16 qemu-kvm system_u:system_r:svirt_t:s0:c85,c829 2 file open system_u:object_r:cifs_t:s0 denied 10711 22. 07/05/20 08:04:16 qemu-kvm system_u:system_r:svirt_t:s0:c85,c829 2 file open system_u:object_r:cifs_t:s0 denied 10712 [/code] [code] $ sudo getsebool -a|grep "cif\|qem" cobbler_use_cifs --> off ftpd_use_cifs --> off git_cgi_use_cifs --> off git_system_use_cifs --> off httpd_use_cifs --> off ksmtuned_use_cifs --> off mpd_use_cifs --> off polipo_use_cifs --> off tmpreaper_use_cifs --> off virt_read_qemu_ga_data --> off virt_rw_qemu_ga_data --> off xend_run_qemu --> on [/code] Please excuse my rustiness with CentOS. I had a look through the SELinux Alert Browser and discovered this alert which might be just about on the money: [code] SELinux is preventing /usr/libexec/qemu-kvm from open access on the file /home/micah-local/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso. ***** Plugin qemu_file_image (53.1 confidence) suggests ******************* If CentOS-7-x86_64-DVD-2003.iso is a virtualization target Then you need to change the label on CentOS-7-x86_64-DVD-2003.iso' Do # semanage fcontext -a -t virt_image_t '/home/micah-local/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso' # restorecon -v '/home/micah-local/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso' ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow virt to use samba Then you must tell SELinux about this by enabling the 'virt_use_samba' boolean. Do setsebool -P virt_use_samba 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If you believe that qemu-kvm should be allowed open access on the CentOS-7-x86_64-DVD-2003.iso file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm # semodule -i my-qemukvm.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c229,c415 Target Context system_u:object_r:cifs_t:s0 Target Objects /home/micah-local/mp0/template/iso/CentOS-7-x86_64 -DVD-2003/CentOS-7-x86_64-DVD-2003.iso [ file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port <Unknown> Host pck232.ndgm.co Source RPM Packages qemu-kvm-1.5.3-173.el7_8.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-266.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pck232.ndgm.co Platform Linux pck232.ndgm.co 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-05-07 07:50:05 NZST Last Seen 2020-05-07 07:50:05 NZST Local ID abcec2a8-c418-4143-93b5-e6815725e0bc Raw Audit Messages type=AVC msg=audit(1588794605.251:10454): avc: denied { open } for pid=2839 comm="qemu-kvm" path="/home/micah-local/mp0/template/iso/CentOS-7-x86_64-DVD-2003/CentOS-7-x86_64-DVD-2003.iso" dev="cifs" ino=662527 scontext=system_u:system_r:svirt_t:s0:c229,c415 tcontext=system_u:object_r:cifs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1588794605.251:10454): arch=x86_64 syscall=open success=no exit=EACCES a0=5593266c1920 a1=80000 a2=0 a3=55932676e400 items=0 ppid=1 pid=2839 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c229,c415 key=(null) Hash: qemu-kvm,svirt_t,cifs_t,file,open [/code] |
|
|
Yes, running $ sudo setsebool -P virt_use_samba 1 enabled me to use the manually-mounted cifs share to specify my ISO and launch the VM. My inability to resolve that myself is due to my inexperience, but the error behaviour could have been more informative; I am open to opinions on whether it's a valuable exercise to report the lack of clarity in the error as a bug. Regardless, the original behaviour with gvfs remains; VMM is still unable to read an ISO on a share mounted that way. No SELinux alert is generated when I arrive at the error originally reported. |
|
|
please run "service auditd rotate" , trigger the error again and then look again at the selinux logs. I suspect you will still see relevant selinux denials . |
|
|
Thanks again ManuelWolfshant, appreciate your continued participation in this bug. Unfortunately, even after rotating the logs, no further selinux denials are logged when triggering the error. I have gone ahead and made a video in case it helps to clarify the way I'm arriving at this behaviour, and uploaded it here. I believe the avc report entries from today's date (08/05/2020) relate to: - I have an NVME drive in this host, smartd may not work with it (smartd) - I disabled location sharing when finishing the installation of CentOS (geoclue) - I was playing around with trying to change my user's display name before making the video (accounts-daemon) As a review of the process to trigger this error, I am: 1. Mounting an SMB share via Files ( Files > + Other Locations > in "Connect to Server" box, type "smb://server/share", click Connect > provide credentials 2. Opening VMM > new VM button > select Local install media, Forward > select Use ISO image, click Browse... button > click Browse Local button > Other Locations > select server > navigate to ISO, select it and click Open 3. Note that OS type and Version are not detected, click Forward to arrive at error reported, also attached here as a screenshot Thanks again. centos7-gvfs-iso-error.PNG (151,387 bytes) |
|
|
Ah, my video file was 8mb so wouldn't attach, didn't catch that in time. In case it matters, you can try this: https://nextcloud.ndgm.co/s/EWPELGHQYGk6apA |
|
|
Please retry after switching selinux to permissive ( and if it still fails, disabled ). I want to be very sure that we are not dealing with a dontaudited selinux denial. |
|
|
Changed to permissive, no change in behaviour. Disabled selinux, rebooted, still getting that same error message behaviour out of VMM. Is it worthwhile to try virt-install for more useful error messages? How do I format my bug notes so these code blocks are easier to distinguish from conversation? Or is there a different preferred way of sending longer output like this? |
|
|
dang! I was hoping that it was a selinux issue , would have been easier to fix. So I guess some permissions are incorrect or something interprets incorrectly the permissions along the way. Next step would be some debugging with the help of strace ( something along strace -f -e open ) |
- Anonymous
