View Issue Details

IDProjectCategoryView StatusLast Update
0018074administrationpolicypublic2021-02-18 15:21
ReporterThomasLef Assigned To 
Status newResolutionopen 
OSCentos 7 
Summary0018074: SeLinux default policy prevent creating qemu-kvm VMs when images are stored on NFS drive
Descriptionwhen attempting to create qemu-kvm VMs through libvirt, while image are hosted on NFS drive, i get the following error

$ virsh create vm1.xml
error: Failed to create domain from vm1.xml
error: internal error: qemu unexpectedly closed the monitor: 2021-02-17T14:58:48.609416Z qemu-kvm: -drive file=/storage_pool/image1_1.qcow2,format=qcow2,if=none,id=drive-virtio-disk0: could not open disk image /storage_pool/image1.qcow2: Could not open '/storage_pool/image_1.qcow2': Permission denied

following :

"In the basic model, all QEMU virtual machines run under the confined domain root:system_r:qemu_t. It is required that any disk image assigned to a QEMU virtual machine is labelled with system_u:object_r:virt_image_t.
Not all filesystems allow for labelling of individual files. In particular NFS, VFat and NTFS have no support for labelling. In these cases administrators must use the 'context' option when mounting the filesystem to set the default label to system_u:object_r:virt_image_t. In the case of NFS, there is an alternative option, of enabling the virt_use_nfs SELinux boolean."

I applying the following change :

$ setsebool virt_use_nfs on

And that did the trick.

However, given the error message, this is not easy to sort out for the average user.
Any reason to have this boolean variable set to false by default ?
If none, could that be changed ?
Tags#Centos7, kvm, libvirt, nfs, qemu, selinux, virsh


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2021-02-18 15:21 ThomasLef New Issue
2021-02-18 15:21 ThomasLef Tag Attached: #Centos7
2021-02-18 15:21 ThomasLef Tag Attached: kvm
2021-02-18 15:21 ThomasLef Tag Attached: libvirt
2021-02-18 15:21 ThomasLef Tag Attached: nfs
2021-02-18 15:21 ThomasLef Tag Attached: qemu
2021-02-18 15:21 ThomasLef Tag Attached: selinux
2021-02-18 15:21 ThomasLef Tag Attached: virsh