On Wed, Feb 25, 2015 at 09:50:27AM +0100, Martin Kletzander wrote: > Since we autogenerate path for QEMU guest agent into > LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be > able to access that socket no matter under what user/group it is > running co you can set the user/group in qemu.conf. > > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886 > %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu > %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ > %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ > -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ > -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ > -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ > +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ > +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ > +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ > %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/ > %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/ I'm confused how this solves the problem. If I edit a guest and add <seclabel type='static' model='dac' relabel='yes'> <label>berrange:berrange</label> </seclabel> And launch it, it fails to create the QEMU monitor socket error: Failed to start domain serial error: internal error: process exited while connecting to monitor: 2015-02-25T13:26:51.620498Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: Failed to bind socket: Permission denied 2015-02-25T13:26:51.620608Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: chardev: opening backend "socket" failed Because a process running berrange:berrange does not have write permission on the /var/lib/libvirt/qemu directory. Changing the mode to 0751 doesn't do anything to solve that. After setting the dir to mode 0751 qemu still gets the same permission denied when creating the monitor socket as it still lacks write permission. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list