Bug 1261127
Summary: | ISO should be labelled virt_content_t so qemu:///session svirt can use it | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Paramjit Oberoi <p_s_oberoi> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7.0 | CC: | ailan, crobinso, ghammer, lvrabec, mgrepl, michen, mmalik, nkinder, plautrba, p_s_oberoi, pvrabec, rmeggins, ssekidde, virt-maint, vrozenfe, yvugenfi |
Target Milestone: | rc | ||
Target Release: | 7.3 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-12 12:16:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Paramjit Oberoi
2015-09-08 16:17:41 UTC
(In reply to Paramjit Oberoi from comment #0) > Mounting the ISO file in the VM fails due to SELinux errors. I had to run > the following command to get it to work: > > sudo chcon 'system_u:object_r:virt_content_t:s0' > /usr/share/virtio-win/virtio-win-0.1.102.iso I assume this is using boxes or qemu:///session? Regular user won't have the permissions to relabel the media so that makes sense. Probably need to get a change into selinux-policy to label this media correctly for us Yes, this was using boxes. I discovered the root cause it when I tried the same thing in VirtManager using qemu:///session, and it gave me a nice error message complaining about not being able to relabel the file. (Boxes just gave me a failure message without explanation.) (In reply to Paramjit Oberoi from comment #0) > Mounting the ISO file in the VM fails due to SELinux errors. I had to run > the following command to get it to work: > > sudo chcon 'system_u:object_r:virt_content_t:s0' > /usr/share/virtio-win/virtio-win-0.1.102.iso What errors are you getting? Is it still relevant? Do you still see SELinux denials when re-running the scenario? Sorry for the lack of updates. I'm pretty sure I have reinstalled virtio-win since filing this bug, and I have not run into this problem again. I haven't tried it on a freshly installed system though. Given the lack of me-too comments here, I'd say it's safe to close this. We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. |