Bug 513968

Summary: svirt preventing attaching a dvd/cdrom in virt-manager
Product: [Fedora] Fedora Reporter: Mark Wielaard <mjw>
Component: virt-managerAssignee: Daniel Berrangé <berrange>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 11CC: berrange, crobinso, dwalsh, hbrock, markmc, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-12 09:26:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 480594    

Description Mark Wielaard 2009-07-27 11:06:38 UTC 
Description of problem:

When trying to attach a dvd/cdrom to a running virtual machine you will get selinux denials and the cd doesn't show up in the guest.

Version-Release number of selected component (if applicable):

virt-manager-0.7.0-5.fc11.x86_64
qemu-kvm-0.10.5-3.fc11.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Go to a running virtual machine details tab
2. Click on disk hdc
3. Click on connect and select a cdrom (/dev/sr0 in my case).
  
Actual results:

selinux denials, cd doesn't show in guest

Expected results:

cd does show up in guest

Additional info:

setroubleshooter says:


Summary:

SELinux is preventing qemu-kvm (svirt_t) "getattr" removable_device_t.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c173,c806
Target Context                system_u:object_r:removable_device_t:s0
Target Objects                /dev/sr0 [ blk_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          springer.wildebeest.org
Source RPM Packages           qemu-system-x86-0.10.5-3.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-62.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     springer.wildebeest.org
Platform                      Linux springer.wildebeest.org
                              2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57
                              EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 27 Jul 2009 12:55:48 PM CEST
Last Seen                     Mon 27 Jul 2009 01:01:02 PM CEST
Local ID                      3fd74f4b-93c5-4e97-94d1-ba2b8f95b22a
Line Numbers                  

Raw Audit Messages            

node=springer.wildebeest.org type=AVC msg=audit(1248692462.839:107): avc:  denied  { getattr } for  pid=22188 comm="qemu-kvm" path="/dev/sr0" dev=tmpfs ino=583 scontext=system_u:system_r:svirt_t:s0:c173,c806 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file

node=springer.wildebeest.org type=SYSCALL msg=audit(1248692462.839:107): arch=c000003e syscall=4 success=no exit=-13 a0=e79930 a1=7fffede4d6c0 a2=7fffede4d6c0 a3=9 items=0 ppid=1 pid=22188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c173,c806 key=(null)



Summary:

SELinux is preventing qemu-kvm (svirt_t) "read" removable_device_t.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c173,c806
Target Context                system_u:object_r:removable_device_t:s0
Target Objects                sr0 [ blk_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          springer.wildebeest.org
Source RPM Packages           qemu-system-x86-0.10.5-3.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-62.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     springer.wildebeest.org
Platform                      Linux springer.wildebeest.org
                              2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57
                              EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 27 Jul 2009 12:55:48 PM CEST
Last Seen                     Mon 27 Jul 2009 01:01:02 PM CEST
Local ID                      d6715a71-5e7f-4f79-ab31-f18c2c977133
Line Numbers                  

Raw Audit Messages            

node=springer.wildebeest.org type=AVC msg=audit(1248692462.839:108): avc:  denied  { read } for  pid=22188 comm="qemu-kvm" name="sr0" dev=tmpfs ino=583 scontext=system_u:system_r:svirt_t:s0:c173,c806 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file

node=springer.wildebeest.org type=SYSCALL msg=audit(1248692462.839:108): arch=c000003e syscall=2 success=no exit=-13 a0=e79930 a1=1000 a2=1a4 a3=30 items=0 ppid=1 pid=22188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c173,c806 key=(null)
Comment 1 Daniel Walsh 2009-08-11 22:22:36 UTC 
libvirt should have relabeled this to something svirt_t can read?
Comment 2 Daniel Berrangé 2009-08-12 09:26:20 UTC 

*** This bug has been marked as a duplicate of bug 496442 ***