Qcow2 located inside veracrypt error: Access denied

Decidable3 · April 26, 2025, 6:49pm

Host system fedora workstation
I want to switch to kvm virt manager instead of virtualbox.
The whonix guest machine volume is in my veracrypt volume.
Downloaded the kvm version, moved Whonix-Gateway.qcow2 and Whonix-Workstation.qcow2 inside the veracrypt volume

I read on the wiki
sudo chmod og+xr /run/media/private/user/$container_name

entered this way

sudo chmod o+xr /media/veracrypt1
sudo chmod o+xr /media/VMs/Whonix-Gateway.qcow2

when I start the machine in virt manager an error appears

Domain startup error: Failed to access storage file "/media/veracrypt1/VMs/Whonix-Gateway.qcow2" (on behalf of uid:107, gid:107): Access denied

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 71, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
    ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 107, in tmpcb
    callback(*args, **kwargs)
    ~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/virtManager/object/domain.py", line 1384, in startup
    self._backend.create()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib64/python3.13/site-packages/libvirt.py", line 1379, in create
    raise libvirtError('virDomainCreate() failed')
libvirt.libvirtError: Failed to access storage file "/media/veracrypt1/VMs/Whonix-Gateway.qcow2" (on behalf of uid:107, gid:107): Denied in
accesses

Patrick · April 27, 2025, 6:28pm

It’s a host operation system permission issue.

This is not an issue caused by any software developed by Whonix. This issue would also happen with any other qcow2 file from any other operating system vendor.

This issue is unspecific to Whonix.

It can be resolved as per:

So there is no need to depend on this forum for help.

This might be good. Folders need to be both “executable” [1] and readable.

But if the folder below (/media) must also be readable.

sudo chmod o+xr /media

The qcow2 file doesn’t need to be executable but it will also not cause an issue. But write permission will be required.

sudo chmod o+rw /media/VMs/Whonix-Gateway.qcow2

Ideally, KVM would use group permissions and only the group has read/write access. Dunno how that is implemented on Fedora.

Linux file permissions are quite difficult. That’s why I developed chmod-calc.

On top of that, also AppArmor and/or SELinux (that might have been set up by SVirt) can also moderate file access. I don’t know that in Fedora.

That’s why Whonix KVM chapter Image File Installation uses distribution default folder /var/lib/libvirt/images. Otherwise, you would have to figure out Linux file permissions, AppArmor or SELinux (depending on what your distribution is using).

That’s a hell of a complicated mess. Related:

[1] linux - Why must a folder be executable? - Super User