Hi,
I had the same problem before. I investigated the problem, and found the selinux label for some of the directories under /rhev/data-center hierarchy were wrong. Then I inspected the policies for /rhev/data-center hierachy and found no problem. So I uninstalled vdsm, delete /rhev, reinstalled vdsm, then the problem was gone. Since policies for /rhev/data-center are correct, I have no ideas on how the wrong labels were tagged. I examined log files of selinux, libvirt and vdsm, still could not find out any clues.

You can examine the policies on /rhev by running the following command:

semanage fcontext -l | grep '^/rhev'


This should give the result as:

/rhev                                              directory          
system_u:object_r:mnt_t:s0
/rhev(/[^/]*)?                                     directory          
system_u:object_r:mnt_t:s0
/rhev/[^/]*/.*                                     all files<<None>>


Then you can examine the actual labels of subdirs under /rhev/data-center by running:

ls -dZ /rhev/data-center/8c369da4-b3a0-11e1-9db0-273609afe0b1
ls -dZ 
/rhev/data-center/8c369da4-b3a0-11e1-9db0-273609afe0b1/efef4a96-16b1-4f14-a252-f33c7a8ce52b
ls -dZ /rhev/data-center/mnt
ls -Z /rhev/data-center/mnt/*


You should see "mnt_t" label on the directories and the soft links. The labels of the soft links are inherited from its parent dir. In my previous selinux problem, some of the dirs and soft links were tagged with "default_t". So selinux will prevent qemu from visiting the soft links.

Anyway, deleting /rhev and re-installing vdsm solved my previous problem, because vdsm will create /rhev automatically with the right labels. Hope it works for you too.

on 06/18/2012 23:37, Saggi Mizrahi wrote:
Do you have an AVC denial in the audit log? What does it say?
(Please run sealert -a FILE and put the resolved text along with the original 
AVC denail)
Are you using NFS\localfs\SAN?

What are the credentials and contexts of the files in question?
Have you recently turned selinux on\off?
Did you upgrade the OS or selinux policy?
What is the libvirt version?

----- Original Message -----
From: "Laszlo Hornyak"<lhorn...@redhat.com>
To: vdsm-devel@lists.fedorahosted.org
Sent: Monday, June 18, 2012 11:13:37 AM
Subject: [vdsm] vdsm vs selinux

hi,

I am running the latest VDSM (built from git repo) on rhel 6.2 and
looks like it has some issues with selinux. setenforce 0 solves the
problem, but is there a proper solution under way?

Traceback (most recent call last):
   File "/usr/share/vdsm/vm.py", line 570, in _startUnderlyingVm
     self._run()
   File "/usr/share/vdsm/libvirtvm.py", line 1364, in _run
     self._connection.createXML(domxml, flags),
   File
   "/usr/lib64/python2.6/site-packages/vdsm/libvirtconnection.py",
   line 82, in wrapper
     ret = f(*args, **kwargs)
   File "/usr/lib64/python2.6/site-packages/libvirt.py", line 2490, in
   createXML
     if ret is None:raise libvirtError('virDomainCreateXML() failed',
     conn=self)
libvirtError: internal error Process exited while reading console log
output: char device redirected to /dev/pts/2
qemu-kvm: -drive
file=/rhev/data-center/8c369da4-b3a0-11e1-9db0-273609afe0b1/efef4a96-16b1-4f14-a252-f33c7a8ce52b/images/40d2cc3a-9e9c-4224-af6f-2450efc883ca/e84617c5-8073-46de-85bd-2497235a5ba2,if=none,id=drive-virtio-disk0,format=raw,serial=40d2cc3a-9e9c-4224-af6f-2450efc883ca,cache=none,werror=stop,rerror=stop,aio=threads:
could not open disk image
/rhev/data-center/8c369da4-b3a0-11e1-9db0-273609afe0b1/efef4a96-16b1-4f14-a252-f33c7a8ce52b/images/40d2cc3a-9e9c-4224-af6f-2450efc883ca/e84617c5-8073-46de-85bd-2497235a5ba2:
Permission denied


Thank you,
Laszlo
_______________________________________________
vdsm-devel mailing list
vdsm-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/vdsm-devel

_______________________________________________
vdsm-devel mailing list
vdsm-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/vdsm-devel

--
Thanks and best regards!

Zhou Zheng Sheng / 周征晟
E-mail: zhshz...@linux.vnet.ibm.com
Telephone: 86-10-82454397

_______________________________________________
vdsm-devel mailing list
vdsm-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/vdsm-devel

Reply via email to