Bug 496442

Summary: libvirt only relabels disks *after* hotplugging them into QEMU
Product: [Fedora] Fedora Reporter: James <theholyettlz>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 11CC: berrange, clalance, crobinso, erik, itamar, markmc, mjw, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 0.6.2-14.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-15 04:30:34 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 480594    
Description Flags
Audit message
Audit message
Audit message
Audit message none

Description James 2009-04-19 04:55:05 EDT
Created attachment 340217 [details]
Audit message

Description of problem:
I'm trying to use a USB storage device with a qemu-kvm guest by attaching the block device (/dev/sdc) as a USBMS device. SELinux appears to be blocking it. I'll attach the audit messages containing the full details. Note that one pertains to hal-addon-storage.
Comment 1 James 2009-04-19 04:55:27 EDT
Created attachment 340218 [details]
Audit message
Comment 2 James 2009-04-19 04:55:49 EDT
Created attachment 340219 [details]
Audit message
Comment 3 James 2009-04-19 04:56:27 EDT
Created attachment 340220 [details]
Audit message
Comment 4 Daniel Walsh 2009-04-20 08:10:42 EDT
You have combined two bugs together, I believe.  The first one is that hal can not read a blk device labeled svirt_image_t, which is fixed in 

Fixed in selinux-policy-3.6.12-9.fc11.noarch

THe second one looks like libvirt did not relabel a usb device to the appropriate svirt_image_t label.   Which I believe is a bug in libvirt.
Comment 5 Mark McLoughlin 2009-04-20 09:09:32 EDT
James: could try with selinux-policy-3.6.12-9.fc11 and attach your guest xml config and log file from /var/log/libvirt/qemu/${guest}.log ?
Comment 6 Bug Zapper 2009-06-09 10:06:27 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
Comment 7 Daniel Berrange 2009-08-04 11:47:44 EDT
Upstream fix is in

commit 1795bfe4a177a5eff1b3b0a16d56df6f371c0f8e
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Mon Jul 6 16:01:55 2009 +0100

    Fix SELinux denial during hotplug
    * src/qemu_driver.c: Relabel disk images *before* running QEMU
    hotplug monitor commands
Comment 8 Daniel Berrange 2009-08-05 12:08:08 EDT
Built fix into libvirt-0.6.2-14.fc11
Comment 9 Fedora Update System 2009-08-05 12:13:00 EDT
libvirt-0.6.2-14.fc11 has been submitted as an update for Fedora 11.
Comment 10 Fedora Update System 2009-08-07 01:00:43 EDT
libvirt-0.6.2-14.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libvirt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8333
Comment 11 Daniel Berrange 2009-08-12 05:26:20 EDT
*** Bug 513968 has been marked as a duplicate of this bug. ***
Comment 12 Fedora Update System 2009-08-15 04:30:03 EDT
libvirt-0.6.2-14.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Erik Logtenberg 2009-10-12 09:59:10 EDT
I still receive this error: "SELinux is preventing qemu-system-x86 (svirt_t) "read" removable_device_t." when starting a virtual guest with virt-manager (Windows from a bootable DVD).

Nevertheless, I have libvirt-0.6.2-18.fc11.x86_64 installed, so it should contain the abovementioned bugfix, right?

Raw Audit Messages:

node=xxx type=AVC msg=audit(1255355278.921:45634): avc: denied { read } for pid=27111 comm="qemu-system-x86" path="/dev/sr0" dev=tmpfs ino=741 scontext=system_u:system_r:svirt_t:s0:c104,c517 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file

node=xxx type=SYSCALL msg=audit(1255355278.921:45634): arch=c000003e syscall=0 success=yes exit=0 a0=8 a1=7f8bf5270200 a2=800 a3=27 items=0 ppid=1 pid=27111 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=system_u:system_r:svirt_t:s0:c104,c517 key=(null)

Anything else I can do to help trace this error message?
Comment 14 Mark McLoughlin 2009-10-13 06:24:18 EDT
(In reply to comment #13)
> I still receive this error: "SELinux is preventing qemu-system-x86 (svirt_t)
> "read" removable_device_t."

I don't think this is related to the original issue tracked by this bz. Could you file a new bug please?

See http://fedoraproject.org/wiki/Reporting_virtualization_bugs for the kind of info that would be helpful