Bug 536760

Summary: libvirt should pass readonly=on to qemu
Product: [Fedora] Fedora Reporter: Serge Pavlovsky <pal666>
Component: libvirtAssignee: Daniel Berrangé <berrange>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 14CC: adagostino66, berrange, bobgus, clalance, crobinso, dave, dwalsh, hacataka, ingimar, itamar, jeremy.butler36, jforbes, karmstrong, markmc, mgrepl, mjs, pandaparag, paulmarc.bougharios, satimis, swuste, tarek.ahmed.omar, veillard, virt-maint, walkerrichardj
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:6e45b905c83145aab17ee23fcd5b81e4c5d803fa44e195edba55c2a4a7d00624
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 556769 (view as bug list) Environment:
Last Closed: 2010-11-17 19:27:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 537163    
Bug Blocks: 498969    

Description Serge Pavlovsky 2009-11-11 09:11:52 UTC
\u0421\u0432\u043e\u0434\u043a\u0430:

SELinux is preventing /usr/bin/qemu-kvm "write" access on sr0.

\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435:

[qemu-kvm \u0437\u0430\u043f\u0443\u0449\u0435\u043d \u0432 \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u043c \u0440\u0435\u0436\u0438\u043c\u0435 (svirt_t).
\u042d\u0442\u043e \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e.]

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

\u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f:

\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a system_u:system_r:svirt_t:s0:c136,c886
\u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u041a\u043e\u043d\u0442\u0435\u043a\u0441 system_u:object_r:virt_content_t:s0
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b sr0 [ blk_file ]
\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a              qemu-kvm
\u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/usr/bin/qemu-kvm
\u041f\u043e\u0440\u0442                      <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e>
\u0423\u0437\u0435\u043b                      underdark.thor.od.ua
\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b qemu-system-x86-0.11.0-11.fc12
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R 
RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438          selinux-policy-3.6.32-41.fc12
Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430        True
\u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438       targeted
MLS \u0430\u043a\u0442\u0438\u0432\u043d\u0430            True
\u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439  Enforcing
\u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f    catchall
\u0418\u043c\u044f \u0445\u043e\u0441\u0442\u0430             underdark.thor.od.ua
\u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430            Linux underdark.thor.od.ua
                              2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
\u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 1
\u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u0421\u0440\u0434 11 \u041d\u043e\u044f 2009 10:59:58
\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u0421\u0440\u0434 11 \u041d\u043e\u044f 2009 10:59:58
\u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID         247b391c-3766-45a9-ab32-ea1267c12338
\u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a       

\u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f 

node=underdark.thor.od.ua type=AVC msg=audit(1257929998.809:139): avc:  denied  { write } for  pid=25245 comm="qemu-kvm" name="sr0" dev=tmpfs ino=3940 scontext=system_u:system_r:svirt_t:s0:c136,c886 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file

node=underdark.thor.od.ua type=SYSCALL msg=audit(1257929998.809:139): arch=c000003e syscall=2 success=yes exit=128 a0=7fffb847a1a0 a1=1002 a2=1a4 a3=30 items=0 ppid=1 pid=25245 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c136,c886 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,catchall,qemu-kvm,svirt_t,virt_content_t,blk_file,write
audit2allow suggests:

#============= svirt_t ==============
allow svirt_t virt_content_t:blk_file write;

Comment 1 Daniel Walsh 2009-11-11 18:32:59 UTC
If this device was a read/writable device it should have been given a different label

Comment 2 Daniel Berrangé 2009-11-11 18:39:48 UTC
Please provide the libvirt XML configuration for this guest and the log file. As root run

  virsh dumpxml GUESTNAME

and save

  /var/log/libvirt/qemu/$GUESTNAME.log

Comment 3 Serge Pavlovsky 2009-11-11 20:23:57 UTC
drive is r/w, but media was r/o


<domain type='kvm'>
  <name>xp</name>
  <uuid>e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5</uuid>
  <memory>524288</memory>
  <currentMemory>524288</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-0.11'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='localtime'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/xp.img'/>
      <target dev='hda' bus='ide'/>
    </disk>
    <disk type='block' device='cdrom'>
      <driver name='qemu'/>
      <source dev='/dev/sr0'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
    </disk>
    <interface type='network'>
      <mac address='52:54:00:46:53:a5'/>
      <source network='default'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/4'/>
      <target port='0'/>
    </serial>
    <console type='pty' tty='/dev/pts/4'>
      <source path='/dev/pts/4'/>
      <target port='0'/>
    </console>
    <input type='tablet' bus='usb'/>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
    <sound model='es1370'/>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
    </video>
  </devices>
</domain>


LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-kvm -S -M pc-0.11 -m 512 -smp 1 -name xp -uuid e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5 -monitor unix:/var/lib/libvirt/qemu/xp.monitor,server,nowait -localtime -no-reboot -boot d -drive file=/var/lib/libvirt/images/xp.img,if=ide,index=0,format=raw -drive file=/dev/sr0,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:46:53:a5,vlan=0,name=nic.0 -net tap,fd=18,vlan=0,name=tap.0 -serial pty -parallel none -usb -usbdevice tablet -vnc 127.0.0.1:0 -vga cirrus -soundhw es1370 
char device redirected to /dev/pts/4
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-kvm -S -M pc-0.11 -m 512 -smp 1 -name xp -uuid e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5 -monitor unix:/var/lib/libvirt/qemu/xp.monitor,server,nowait -localtime -boot c -drive file=/var/lib/libvirt/images/xp.img,if=ide,index=0,boot=on,format=raw -drive file=,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:46:53:a5,vlan=0,name=nic.0 -net tap,fd=18,vlan=0,name=tap.0 -serial pty -parallel none -usb -usbdevice tablet -vnc 127.0.0.1:0 -vga cirrus -soundhw es1370 
char device redirected to /dev/pts/4

Comment 4 Daniel Berrangé 2009-11-12 17:26:44 UTC
The root cause of this problem is a limitation of QEMU - we want CDROM devices to be readonly, and libvirt has them marked as such, but QEMU still tries to open them read-write.

I opened bug 537163 to get this fixed in QEMU

Comment 5 Mark McLoughlin 2009-11-19 12:01:36 UTC
There doesn't seem to be much special about this scenrio. Any idea why we aren't we seeing more of these AVCs?

Comment 6 Bob Gustafson 2009-11-21 06:11:29 UTC
I got the same message.

I thought I was trying to write to my regular hard disk - not the CDROM.

Somehow, on the 2nd try, the write to the hard disk succeeded - and I now have a running virtual machine with a disk footprint at:

[root@hoho6 images]# pwd
/var/lib/libvirt/images
[root@hoho6 images]# ls -l
total 1228804
-rw-------. 1 qemu qemu 20971520000 2009-11-20 23:03 t280rc-min-486.img
[root@hoho6 images]# 

I did not change the security setting.

SELinux Administrations says:
Enforcing
Enforcing
targeted

curious

Comment 7 Daniel Walsh 2010-01-18 22:45:07 UTC
*** Bug 540174 has been marked as a duplicate of this bug. ***

Comment 8 Daniel Berrangé 2010-01-19 11:10:50 UTC
THis is actively in progress upstream

http://lists.gnu.org/archive/html/qemu-devel/2010-01/msg01124.html

Comment 9 Miroslav Grepl 2010-01-22 14:49:45 UTC
*** Bug 557767 has been marked as a duplicate of this bug. ***

Comment 10 Miroslav Grepl 2010-01-25 12:22:07 UTC
*** Bug 558047 has been marked as a duplicate of this bug. ***

Comment 11 Miroslav Grepl 2010-01-25 12:25:00 UTC
*** Bug 558219 has been marked as a duplicate of this bug. ***

Comment 12 Miroslav Grepl 2010-01-25 12:27:02 UTC
*** Bug 558300 has been marked as a duplicate of this bug. ***

Comment 13 Miroslav Grepl 2010-02-02 11:53:56 UTC
*** Bug 560849 has been marked as a duplicate of this bug. ***

Comment 14 Daniel Walsh 2010-02-04 13:48:14 UTC
*** Bug 561764 has been marked as a duplicate of this bug. ***

Comment 15 Miroslav Grepl 2010-02-08 11:15:58 UTC
*** Bug 561376 has been marked as a duplicate of this bug. ***

Comment 16 Daniel Walsh 2010-03-01 15:07:53 UTC
*** Bug 569266 has been marked as a duplicate of this bug. ***

Comment 17 Daniel Veillard 2010-03-11 19:33:36 UTC
Tentative patch to fix this posted upstream,

https://www.redhat.com/archives/libvir-list/2010-March/msg00503.html

Daniel

Comment 18 Cole Robinson 2010-06-15 16:59:01 UTC
Since this required features that currently aren't even in a released qemu, it's unlikely this issue will be fixed in F12 or F13. Moving to rawhide.

Comment 19 Daniel Walsh 2010-06-15 20:53:19 UTC
We need a work around for this in RHEL6?

Comment 21 Bug Zapper 2010-07-30 10:47:31 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 22 Cole Robinson 2010-11-17 19:27:55 UTC
AFAICT this is fixed in F14. Closing