[Resolved] virt-manager cannot create VMs: permission denied

Unable to complete install: 'can't connect to virtlogd: Unable to open file: /var/log/libvirt/qemu/linux2022.log: Permission denied'

Traceback (most recent call last):
File "/app/share/virt-manager/virtManager/asyncjob.py", line 71, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/app/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
File "/app/share/virt-manager/virtinst/install/installer.py", line 726, in start_install
domain = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/app/share/virt-manager/virtinst/install/installer.py", line 667, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/lib/python3.12/site-packages/libvirt.py", line 4545, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: can't connect to virtlogd: Unable to open file: /var/log/libvirt/qemu/linux2022.log: Permission denied
Unable to complete install: 'can't connect to virtlogd: Unable to open file: /var/log/libvirt/qemu/linux2022.log: Permission denied'

Traceback (most recent call last):
File "/app/share/virt-manager/virtManager/asyncjob.py", line 71, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/app/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
File "/app/share/virt-manager/virtinst/install/installer.py", line 726, in start_install
domain = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/app/share/virt-manager/virtinst/install/installer.py", line 667, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/lib/python3.12/site-packages/libvirt.py", line 4545, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: can't connect to virtlogd: Unable to open file: /var/log/libvirt/qemu/linux2022.log: Permission denied
Solution:
/var/lib/libvirt/images worked
Jump to solution
81 Replies
tulip🌷
tulip🌷2mo ago
man 😭
tulip🌷
tulip🌷2mo ago
No description
tulip🌷
tulip🌷2mo ago
all there first 3 are you.
Raevenant
RaevenantOP2mo ago
yes 😂 the curse continues
tulip🌷
tulip🌷2mo ago
this is most likely a libvirt workaround not getting run lets just see if the flatpak works for you now that its getting built
Raevenant
RaevenantOP2mo ago
I wonder if I need the kvmfr module or smth? there were a lot of options in the ujust setup-virtualization command
Raevenant
RaevenantOP2mo ago
No description
Raevenant
RaevenantOP2mo ago
I already added myself to the libvirt group too, so I would've thought the permissions would work fine
tulip🌷
tulip🌷2mo ago
nope maybe its the libvirtd group? everything else should not be necessary oh damn
Raevenant
RaevenantOP2mo ago
nathaniel wheel libvirt
tulip🌷
tulip🌷2mo ago
i am pretty sure its selinux being amazing as always
Raevenant
RaevenantOP2mo ago
ok, so selinux didn't work, the exact same error is still there 😭
HikariKnight
HikariKnight2mo ago
make sure the location exist to begin with? sudo ls /var/log/libvirt/ we had the swtpm location not exist so wouldnt surprise me this is an new packaging thing we need to manually fix once again in the ujust
Raevenant
RaevenantOP2mo ago
it does yeah. The log doesn't, but I assume that the permission denied is due to not being able to write it is write protected though location owned by root
HikariKnight
HikariKnight2mo ago
yep
HikariKnight
HikariKnight2mo ago
No description
Raevenant
RaevenantOP2mo ago
thats actually more restrictive than mine tho
HikariKnight
HikariKnight2mo ago
virtlogd runs fine for me though try systemctl status virtlogd
Raevenant
RaevenantOP2mo ago
virtlogd.service - libvirt logging daemon
Loaded: loaded (/usr/lib/systemd/system/virtlogd.service; disabled; preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf, 50-keep-warm.conf
Active: active (running) since Thu 2025-01-09 12:57:26 MST; 40min ago
Invocation: 42f870039c9240b4898bb412f24e84de
TriggeredBy: ● virtlogd.socket
virtlogd-admin.socket
Docs: man:virtlogd(8)
https://libvirt.org/
Main PID: 6971 (virtlogd)
Tasks: 1 (limit: 74210)
Memory: 2.5M (peak: 4M)
CPU: 41ms
CGroup: /system.slice/virtlogd.service
└─6971 /usr/sbin/virtlogd

Jan 09 12:57:26 bazzite systemd[1]: Starting virtlogd.service - libvirt logging daemon...
Jan 09 12:57:26 bazzite systemd[1]: Started virtlogd.service - libvirt logging daemon.
Jan 09 12:57:26 bazzite virtlogd[6971]: libvirt version: 10.6.0, package: 6.fc41 (Fedora Project, 2024-12-14-19:10:41, )
Jan 09 12:57:26 bazzite virtlogd[6971]: hostname: bazzite
Jan 09 12:57:26 bazzite virtlogd[6971]: Unable to open file: /var/log/libvirt/qemu/parrotsec.log: Permission denied
Jan 09 12:57:26 bazzite virtlogd[6971]: Unable to open file: /var/log/libvirt/qemu/parrotsec.log: Permission denied
virtlogd.service - libvirt logging daemon
Loaded: loaded (/usr/lib/systemd/system/virtlogd.service; disabled; preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf, 50-keep-warm.conf
Active: active (running) since Thu 2025-01-09 12:57:26 MST; 40min ago
Invocation: 42f870039c9240b4898bb412f24e84de
TriggeredBy: ● virtlogd.socket
virtlogd-admin.socket
Docs: man:virtlogd(8)
https://libvirt.org/
Main PID: 6971 (virtlogd)
Tasks: 1 (limit: 74210)
Memory: 2.5M (peak: 4M)
CPU: 41ms
CGroup: /system.slice/virtlogd.service
└─6971 /usr/sbin/virtlogd

Jan 09 12:57:26 bazzite systemd[1]: Starting virtlogd.service - libvirt logging daemon...
Jan 09 12:57:26 bazzite systemd[1]: Started virtlogd.service - libvirt logging daemon.
Jan 09 12:57:26 bazzite virtlogd[6971]: libvirt version: 10.6.0, package: 6.fc41 (Fedora Project, 2024-12-14-19:10:41, )
Jan 09 12:57:26 bazzite virtlogd[6971]: hostname: bazzite
Jan 09 12:57:26 bazzite virtlogd[6971]: Unable to open file: /var/log/libvirt/qemu/parrotsec.log: Permission denied
Jan 09 12:57:26 bazzite virtlogd[6971]: Unable to open file: /var/log/libvirt/qemu/parrotsec.log: Permission denied
HikariKnight
HikariKnight2mo ago
journalctl -t virtlogd only thing i can think of is just sudo restorecon -r /var/log/libvirt
Raevenant
RaevenantOP2mo ago
-- No entries -- OH that made it progress further actually new error:
Unable to complete install: 'internal error: QEMU unexpectedly closed the monitor (vm='linux2022'): 2025-01-09T21:16:10.787919Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/home/nathaniel/Downloads/Parrot-htb-6.2_amd64.iso","node-name":"libvirt-1-storage","read-only":true}: Could not open '/var/home/nathaniel/Downloads/Parrot-htb-6.2_amd64.iso': Permission denied'

Traceback (most recent call last):
File "/app/share/virt-manager/virtManager/asyncjob.py", line 71, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/app/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
File "/app/share/virt-manager/virtinst/install/installer.py", line 726, in start_install
domain = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/app/share/virt-manager/virtinst/install/installer.py", line 667, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/lib/python3.12/site-packages/libvirt.py", line 4545, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: internal error: QEMU unexpectedly closed the monitor (vm='linux2022'): 2025-01-09T21:16:10.787919Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/home/nathaniel/Downloads/Parrot-htb-6.2_amd64.iso","node-name":"libvirt-1-storage","read-only":true}: Could not open '/var/home/nathaniel/Downloads/Parrot-htb-6.2_amd64.iso': Permission denied
Unable to complete install: 'internal error: QEMU unexpectedly closed the monitor (vm='linux2022'): 2025-01-09T21:16:10.787919Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/home/nathaniel/Downloads/Parrot-htb-6.2_amd64.iso","node-name":"libvirt-1-storage","read-only":true}: Could not open '/var/home/nathaniel/Downloads/Parrot-htb-6.2_amd64.iso': Permission denied'

Traceback (most recent call last):
File "/app/share/virt-manager/virtManager/asyncjob.py", line 71, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/app/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
File "/app/share/virt-manager/virtinst/install/installer.py", line 726, in start_install
domain = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/app/share/virt-manager/virtinst/install/installer.py", line 667, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/lib/python3.12/site-packages/libvirt.py", line 4545, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: internal error: QEMU unexpectedly closed the monitor (vm='linux2022'): 2025-01-09T21:16:10.787919Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/home/nathaniel/Downloads/Parrot-htb-6.2_amd64.iso","node-name":"libvirt-1-storage","read-only":true}: Could not open '/var/home/nathaniel/Downloads/Parrot-htb-6.2_amd64.iso': Permission denied
now it doesn't like that my iso is in my downloads folder but putting it in /tmp didn't work either its weird too, because virt-manager had the permissions required to modify the owner of the file, but for some reason can't read it??
Raevenant
RaevenantOP2mo ago
No description
Raevenant
RaevenantOP2mo ago
it doesn't appear to be an selinux thing. I set selinux to be permissive and tried again, and it still didn't work. I'm at a complete loss here, this is pretty far out of my current depth 😅
HikariKnight
HikariKnight2mo ago
because its still selinux probably needs this rule

module my-libvirt 1.0;

require {
type unlabeled_t;
type svirt_t;
class process execmem;
class file { open read };
}

#============= svirt_t ==============

#!!!! This avc is allowed in the current policy
allow svirt_t self:process execmem;

#!!!! This avc is allowed in the current policy
allow svirt_t unlabeled_t:file { open read };

module my-libvirt 1.0;

require {
type unlabeled_t;
type svirt_t;
class process execmem;
class file { open read };
}

#============= svirt_t ==============

#!!!! This avc is allowed in the current policy
allow svirt_t self:process execmem;

#!!!! This avc is allowed in the current policy
allow svirt_t unlabeled_t:file { open read };
iirc this should let you give it acces to any random file that is unlabeled
Raevenant
RaevenantOP2mo ago
idk how to apply this actually. I've never messed with selinux
HikariKnight
HikariKnight2mo ago
make it into a file named my-libvirt.te then just do what we did for kvmfr
checkmodule -M -m -o "$HOME/.config/selinux_te/mod/kvmfr.mod" "$HOME/.config/selinux_te/kvmfr.te"
semodule_package -o "$HOME/.config/selinux_te/pp/kvmfr.pp" -m "$HOME/.config/selinux_te/mod/kvmfr.mod"
sudo semodule -i "$HOME/.config/selinux_te/pp/kvmfr.pp"
checkmodule -M -m -o "$HOME/.config/selinux_te/mod/kvmfr.mod" "$HOME/.config/selinux_te/kvmfr.te"
semodule_package -o "$HOME/.config/selinux_te/pp/kvmfr.pp" -m "$HOME/.config/selinux_te/mod/kvmfr.mod"
sudo semodule -i "$HOME/.config/selinux_te/pp/kvmfr.pp"
just change it match first line converts the .te to a .mod 2nd one packages the .mod as a .pp then last one installs the selinux module policy
Raevenant
RaevenantOP2mo ago
Did we do something with kvmfr? I don't think I did
HikariKnight
HikariKnight2mo ago
the lines are yanked out from the ujust if you read them since i said "do what we did for kvmfr" i was busy making sure my food didnt start a fire in the kitchen
Raevenant
RaevenantOP2mo ago
I never did the kvmfr module. Doni need to? Lmao how dare 😂
HikariKnight
HikariKnight2mo ago
then read my message
HikariKnight
HikariKnight2mo ago
No description
HikariKnight
HikariKnight2mo ago
i gave you the policy i have for libvirt
Raevenant
RaevenantOP2mo ago
Right so do I need to do the "enable kvmfr module" in the ujust command? Because I haven't done that yet if I need fo
HikariKnight
HikariKnight2mo ago
save it as .te do what our kvmfr does for its policy but just you know, edit the path to match for your .te file please read what i am saying
Raevenant
RaevenantOP2mo ago
I'm trying
HikariKnight
HikariKnight2mo ago
save as whatever.te
Raevenant
RaevenantOP2mo ago
Aight I'll go back and do the thing then. Sounds like I don't need the ujust bit
HikariKnight
HikariKnight2mo ago
then do whats done here but change it so instead of kvmfr its whatever you named your file but keep the extensions, change the path to wherever the file is
Raevenant
RaevenantOP2mo ago
ok, so I don't have an selinux_te directory in my ~/.config do the directory locations matter or am I just converting files and applying at the end?
HikariKnight
HikariKnight2mo ago
change the path to wherever the .te file you made is and change the other paths to match too as each will make a new file last one will use the final file and apply the policy to selinux
Raevenant
RaevenantOP2mo ago
ok cool I think I'm following gimme sec
HikariKnight
HikariKnight2mo ago
good because i have now repeated myself 3 times 😂 and if you want to keep the files organized just make the selinux_te folder and stuff and put it all there
Raevenant
RaevenantOP2mo ago
ok, I think I applied it. How would I check?
HikariKnight
HikariKnight2mo ago
restart virt manager and try?
Raevenant
RaevenantOP2mo ago
no dice
Raevenant
RaevenantOP2mo ago
No description
Raevenant
RaevenantOP2mo ago
No description
HikariKnight
HikariKnight2mo ago
try sudo selinux -R and try again if that doesnt work then we will go more nuclear
Raevenant
RaevenantOP2mo ago
No description
HikariKnight
HikariKnight2mo ago
sorry semodule its late here
Raevenant
RaevenantOP2mo ago
haha no worries time for nuclear ig lmao same error
HikariKnight
HikariKnight2mo ago
ok sudo semodule -r my-libvirt; rm my-libvirt.* then sudo grep libvirt /var/log/audit/audit.log | audit2allow -M my-libvirt whatever libvirt is complaining about it will be given access
Raevenant
RaevenantOP2mo ago
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-libvirt.pp
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-libvirt.pp
HikariKnight
HikariKnight2mo ago
yep do as it says
Raevenant
RaevenantOP2mo ago
oh wait hangon oh ok I didnd't do this bit sudo rm my-libvirt.*
HikariKnight
HikariKnight2mo ago
if it made the pp file then its fine to not have run it
Raevenant
RaevenantOP2mo ago
uhh
No description
HikariKnight
HikariKnight2mo ago
check your spelling 😂
Raevenant
RaevenantOP2mo ago
ok cool, I applied it try again I assume?
HikariKnight
HikariKnight2mo ago
at least i will go to bed in high spirits at this point haha yup and if this doesnt work try a reboot
Raevenant
RaevenantOP2mo ago
glad I could raise them hahaha
HikariKnight
HikariKnight2mo ago
since we should have gone full "libvirt do whatever you were denied"
Raevenant
RaevenantOP2mo ago
ok no dice, time for a reboot. brb same error after reboot
HikariKnight
HikariKnight2mo ago
could also be that you need to move your isos to be in a system location not in home
Raevenant
RaevenantOP2mo ago
I tried tmp, and it didn't like that. Maybe opt? oh it defaults to wanting /var/lib/libvirt/images I could try that too
HikariKnight
HikariKnight2mo ago
because only difference now is that mine are in /mnt/Orico/ISO with owner qemu:qemu with permissions 777 so i can still easily add isos to it
Raevenant
RaevenantOP2mo ago
HELLS YEAH
Solution
Raevenant
Raevenant2mo ago
/var/lib/libvirt/images worked
tulip🌷
tulip🌷2mo ago
oh my god LOL
Raevenant
RaevenantOP2mo ago
all that and it was just the damn location lmaooooo
HikariKnight
HikariKnight2mo ago
i am pretty sure it doesnt like grabbing isos from peoples home folders because thats a giant permission mess
Raevenant
RaevenantOP2mo ago
facinating is it a giant permission mess specifically because atomic, or is that just typically how it goes even on "normal" distros?
HikariKnight
HikariKnight2mo ago
well imagine you are specifically allowed to use the bar at a club, but the guard does not let you in because youre not allowed to, even though you are explicitly given permission to access the bar same thing libvirt does not have access to your home folder
Raevenant
RaevenantOP2mo ago
ahhhh I assumed the stuff was running under my user, but it's not is it?
HikariKnight
HikariKnight2mo ago
libvirt runs under qemu and libvirt
Raevenant
RaevenantOP2mo ago
ahhhh, there we go! 😄
HikariKnight
HikariKnight2mo ago
essentially psuedo root, but with restrictions to specific locations
Raevenant
RaevenantOP2mo ago
makes sense to me! thanks so much!! wild ride 😂 oh btw @HikariKnight is there anything I need to undo to put it back to what it was before (assuming that possibly the things we did aren't necessary)? or do you hthink that the selinux stuff was still likely necessary?
HikariKnight
HikariKnight2mo ago
you can keep the pp file and just remove the rule sudo semodule -r my-libvirt if you get issues just reapply it
sudo grep libvirt /var/log/audit/audit.log | audit2allow -M my-libvirt
sudo selmodule -i my-libvirt.pp
sudo grep libvirt /var/log/audit/audit.log | audit2allow -M my-libvirt
sudo selmodule -i my-libvirt.pp
Raevenant
RaevenantOP2mo ago
thanks a ton!!

Did you find this page helpful?