-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/16/2013 08:37 PM, Dmitry S. Makovey wrote:
On 12/16/2013 06:17 PM, Dmitry S. Makovey wrote:
> Hi everybody,
>
> today, right after update my machine refuses to start any of the VMs it
> was happily running just a minute ago.
>
> Some details:
>
> $ rpm -qa | grep selinux-policy
> selinux-policy-targeted-3.12.1-74.15.fc19.noarch
> selinux-policy-devel-3.12.1-74.15.fc19.noarch
> selinux-policy-3.12.1-74.15.fc19.noarch
>
> # grep qemu-system-x86 /var/log/audit/audit.log | audit2allow
>
>
> #============= svirt_t ============== allow svirt_t virt_image_t:file
> read;
>
> # ls -laZ /var/lib/libvirt/images/ drwx--x--x. qemu qemu
> system_u:object_r:virt_image_t:s0 . drwxr-xr-x. root root
> system_u:object_r:virt_var_lib_t:s0 .. -rw-r--r--. qemu qemu
> system_u:object_r:virt_image_t:s0 devstack-f.qcow2 ...
>
> in other words - I see no reason why this should fail, what did I miss?
>
> Should I head over to bugzilla and report?
>
after some tinkering I've applied svirt_image_t to /var/lib/libvirt/images
and everything is functioning, however "restorecon -RF
/var/lib/libvirt/images" brings everything back to virt_image_t , hmm?
libvirt is supposed to change the label of a virt_image_t to
svirt_image_t:MCSLABEL when the virtual machine is running, and then change
it back to virt_image_t when the VM is finished. Running VMs can only
read/write svirt_image_t. The problem is you should not be running restorecon
on this directory.
svirt_image_t is supposed to be in a type that restorecon will not change.
If you stop and restart the VM everything should be labeled correctly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlKwZswACgkQrlYvE4MpobOZNwCeN7ZA2MD69X0J7Ml12FxFRo+i
VRkAnAzhHEbbAmmECwNOcQ1e9KoHonQD
=TXnI
-----END PGP SIGNATURE-----