Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1045040 - /var/lib/libvirt/qemu permissions are wrong
Summary: /var/lib/libvirt/qemu permissions are wrong
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On: 1045069
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-19 13:59 UTC by Richard W.M. Jones
Modified: 2016-04-10 17:21 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-10 17:21:40 UTC
Embargoed:

Attachments (Terms of Use)

Description Richard W.M. Jones 2013-12-19 13:59:58 UTC 
Currently:

drwxr-x---.  6 qemu qemu 4096 Dec 19 12:56 .

Dan thinks we should actually create subdirectories under
here for every guest, with the guest's uid:gid as the owner
of the subdirectory, allowing qemu to run as arbitrary
uid:gid and still access its monitor socket.

Version-Release number of selected component (if applicable):

libvirt 1.1.3 on Fedora 19

Also the same on Fedora 20.
Comment 1 Richard W.M. Jones 2014-01-09 16:57:32 UTC 
libvirt currently creates the monitor sockets directly in
/var/lib/libvirt/qemu/ eg:

$ sudo ls -l /var/lib/libvirt/qemu/
total 16
srwxr-xr-x. 1 qemu qemu    0 Jan  6 16:00 builder-rhel6.monitor
srwxr-xr-x. 1 qemu qemu    0 Dec 20 22:04 builder-rhel7.monitor
[etc]

The problem is this doesn't work if we told libvirt to run qemu as
another UID, which is possible (albeit undocumented):

  <seclabel model='dac' type='static'> <label>user:group</label> </seclabel>

If you do that you'll find that qemu won't be able to access the
monitor socket in some situations.

To fix this, libvirt should create a subdirectory per guest.  The
permissions on /var/lib/libvirt/qemu/ should be relaxed, and the owner
or SELinux label of /var/lib/libvirt/qemu/<guestname> should be set so
qemu can access it.

(I suspect the monitor sockets should really go in /run, but the
same arguments apply)
Comment 2 Paul Wouters 2015-10-13 19:31:06 UTC 
I agree. for libreswan we run a test suite with libvirt where our own user 'build' creates the vms and every libvirt update my tests start failing and I have to run:


chmod g+w /var/lib/libvirt/qemu/

So at least group qemu write permissions would be nice.
Comment 3 Cole Robinson 2016-04-10 17:21:40 UTC 
Upstream libvirt does this nowadays:

$ sudo ls /var/lib/libvirt/qemu/
channel  domain-9-f23  dump  nvram  save  snapshot

Where domain-9-f23 is used for the monitor socket for running vm name=f23 id=9
Note You need to log in before you can comment on or make changes to this bug.