I have an RHEL 9 system with SELinux enabled. My .iso files are stored in /mnt/big-stuff/files/vm-data/files,
and my .qcow2 files are stored in /mnt/big-stuff/vm-data/drives
When running a virtual machine, I get a permission denied error (for either the drive or .iso file, depending on the exact issue.
Run chcon -R system_u:object_r:virt_image_t:s0 <your-dir-here>
Notes:
- If you only want to do this for a file, not recursively for an entire directory and subdirectories, omit the
-R - To do all the stuff in a directory, but not in subdirectories, run
chcon system_u:object_r:virt_image_t:s0 <your-dir-here>/*
From these docs (Table 4.2)
| Type | SELinux Context | Description/Effect |
|---|---|---|
| Virtual Machine Processes | system_u:system_r:svirt_t: MCS1 | MCS1 is a randomly selected field. Currently approximately 500,000 labels are supported. |
| Virtual Machine Image | system_u:object_r:svirt_image_t: MCS1 | Only svirt_t processes with the same MCS1 fields are able to read/write these image files and devices. |
| Virtual Machine Shared Read/Write Content | system_u:object_r:svirt_image_t:s0 | All svirt_t processes are allowed to write to the svirt_image_t:s0 files and devices. |
| Virtual Machine Shared Shared Read Only content | system_u:object_r:svirt_content_t:s0 | All svirt_t processes are able to read files/devices with this label. |
| Virtual Machine Image | system_u:object_r:virt_content_t:s0 | System default label used when an image exits. No svirt_t virtual processes are allowed to read files/devices with this label. |