Using Samba share as source directory for libvirt images - help needed

Hi there,

I am trying to use a folder that I have mounted with samba/cifs as a pool for libvirt images.

I have set the virt_use_samba selinux parameter with sudo setsebool virt_use_samba 1 to allow libvirt to use samba. It works loading ISOs from a samba share, but unfortunately not disk images.

I have mounted the samba share with uid=0,gid=0,file_mode=0755,dir_mode=0755 in the /etc/fstab so that it gets mounted as root. I have also tried to mount it as my own user uid=1000 and gid=1000 which did not work either.

I am getting the following error from virt-manager trying to start a virtual machine:

Unable to complete install: 'internal error: QEMU unexpectedly closed the monitor (vm='almalinux9'): 2025-05-01T18:07:08.856208Z qemu-system-x86_64: -blockdev {"node-name":"libvirt-2-format","read-only":false,"driver":"qcow2","file":"libvirt-2-storage","backing":null}: Could not open '/mnt/share/images/test.qcow2': Permission denied'

I also set the selinux context for the directory:

sudo semanage fcontext -a -t svirt_image_t "/mnt/share/images(/.*)?"
sudo restorecon -vR /mnt/share/images

I am not sure where the problem is with this setup since I am not getting any denied messages in /var/log/audit/audit.log.

Any thoughts or help would be appreciated.

What does ls -alZ /mnt/share/images show? Are the permissions and SELinux labels what you expect them to be?

ls -al /mnt/share/images

total 4070
drwxr-xr-x  2 root root           0 May  1 20:37 .
drwxr-xr-x. 1 root root         328 May  1 18:30 ..
-rwxr-xr-x  1 root root 21478375424 May  1 20:06 test.qcow2

sudo semanage fcontext --list | grep /mnt/share/images

/mnt/share/images                                all files          system_u:object_r:virt_image_t:s0 
/mnt/share/images(/.*)?                          all files          system_u:object_r:svirt_image_t:s0 

So this is what I expected them to look like, however I am not sure what they are supposed to look like.

What irritates me is the label in virt-managers storage pool.

<pool type="dir">
  <name>pool</name>
  <uuid>6a53b501-f56f-46cb-8f46-8f04459e6a19</uuid>
  <capacity unit="bytes">97870860255</capacity>
  <allocation unit="bytes">391184384</allocation>
  <available unit="bytes">97870469070</available>
  <source>
  </source>
  <target>
    <path>/mnt/share/images</path>
    <permissions>
      <mode>0755</mode>
      <owner>0</owner>
      <group>0</group>
      <label>system_u:object_r:cifs_t:s0</label>
    </permissions>
  </target>
</pool>

That does seem a bit worrying. (But I don’t really know much about SELinux and Samba shares so I’m going on instinct really.)

I wonder whether the restorecon actually worked. I’m not sure that you can apply extended file attributes on CIFS, which might be a problem with updating labels.

Can you try ls -alZ /mnt/share/images ? With the Z flag, you’ll explicitly see what label your qcow file has.

ls -alZ /mnt/share/images

drwxr-xr-x  2 root root ?                                        0 May  1 20:37 .
drwxr-xr-x. 1 root root unconfined_u:object_r:mnt_t:s0         328 May  1 18:30 ..
-rwxr-xr-x  1 root root ?                              21478375424 May  1 20:06 test.qcow2

I set sudo setenforce 0 and the problem persists.

I figured it out.

I thought that libvirtd runs as root user by default but apparently that is not enough. I went into the /etc/libvirt/qemu.conf and specified user = root. Then a quick sudo systemctl daemon-reload and a sudo systemctl restart libvirtd and now I can boot virtual machines from images on the samba share.

Thank you for the ideas @pg-tips.

Edit: Still works after setting SELinux to enforcing with sudo setenforce 1.

1 Like