This was challenging to chase down. I’m putting this here for others in the future. I hope you find this.
Symptoms:
virt-manager works without issue with qemu://system, but in qemu://session it fails after clicking “begin installation” on a new VM. Similarly, it fails if you try to run an existing VM.
The same occurs if you try to run an existing VM using virsh start, which also uses the qemu://session user-session. They all fail with the error :
Unable to read ~/.config/libvirt/qemu/lib/domain-24-myvm/master-key.aes:
Failed to open file “~/.config/libvirt/qemu/lib/domain-24-myvm/master-key.aes”:
Permission denied
sudo setenforce 0 makes the problem go away.
sealert shows no (SELinux) AVC denials. journalctrl give no other information, but shows the error is logged under the virtqemud process.
Root cause:
The problem may be wrong SELinux labels in your home directory, possible due to once trying to mount your home directory into a podman container with :Z or :z which relabel everything.
Checking SELinux labels
Check everything from your home directory down to ~/.config/libvirt/qemu/lib with ls -lZ.
If there are MCS labels everywhere and lots of container_home_t in the security context (e.g. unconfined_u:object_r:container_home_t:c114,c580),
These wrong labels are probably what’s preventing libvirt from accessing directories it should have access to.
Solution:
To restore labels on everything:
sudo restorecon -vR -F ~/
Warning: This recursively restores the default security context on everything in your home directory.
Notes:
- The
-Fargument to restorecon is required.restoreconwill otherwise skip most of these files with “not reset as customized by admin”.
Thanks to dimitris for:
- BZ2257088: Creating VM fails with permission denied for master-key.aes
- libvirt/libvirt#614: Creating new VM in user session fails with permission denied for master-key.aes
Which helped me understand the issue.