Bug 537163

Summary: QEMU has no means to request a read-only disk with -drive
Product: [Fedora] Fedora Reporter: Daniel Berrange <berrange>
Component: qemuAssignee: Justin M. Forbes <jforbes>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 12CC: adamplumb, berrange, clalance, crobinso, dave, dwalsh, dwmw2, gcosta, itamar, jaswinder, jforbes, ken, k.georgiou, loganjerry, markmc, mgrepl, pal666, quintela, robatino, veillard, virt-maint, ziaro40
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:6e45b905c83145aab17ee23fcd5b81e4c5d803fa44e195edba55c2a4a7d00624
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-03 22:21:44 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 536760    

Description Daniel Berrange 2009-11-12 12:25:42 EST
+++ This bug was initially created as a clone of Bug #536760 +++


SELinux is preventing /usr/bin/qemu-kvm "write" access on sr0.

\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435:

[qemu-kvm \u0437\u0430\u043f\u0443\u0449\u0435\u043d \u0432 \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u043c \u0440\u0435\u0436\u0438\u043c\u0435 (svirt_t).
\u042d\u0442\u043e \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e.]

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug

\u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f:

\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a system_u:system_r:svirt_t:s0:c136,c886
\u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u041a\u043e\u043d\u0442\u0435\u043a\u0441 system_u:object_r:virt_content_t:s0
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b sr0 [ blk_file ]
\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a              qemu-kvm
\u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/usr/bin/qemu-kvm
\u041f\u043e\u0440\u0442                      <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e>
\u0423\u0437\u0435\u043b                      underdark.thor.od.ua
\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b qemu-system-x86-0.11.0-11.fc12
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R 
RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438          selinux-policy-3.6.32-41.fc12
Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430        True
\u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438       targeted
MLS \u0430\u043a\u0442\u0438\u0432\u043d\u0430            True
\u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439  Enforcing
\u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f    catchall
\u0418\u043c\u044f \u0445\u043e\u0441\u0442\u0430             underdark.thor.od.ua
\u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430            Linux underdark.thor.od.ua
                     #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
\u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 1
\u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u0421\u0440\u0434 11 \u041d\u043e\u044f 2009 10:59:58
\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u0421\u0440\u0434 11 \u041d\u043e\u044f 2009 10:59:58
\u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID         247b391c-3766-45a9-ab32-ea1267c12338
\u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a       

\u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f 

node=underdark.thor.od.ua type=AVC msg=audit(1257929998.809:139): avc:  denied  { write } for  pid=25245 comm="qemu-kvm" name="sr0" dev=tmpfs ino=3940 scontext=system_u:system_r:svirt_t:s0:c136,c886 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file

node=underdark.thor.od.ua type=SYSCALL msg=audit(1257929998.809:139): arch=c000003e syscall=2 success=yes exit=128 a0=7fffb847a1a0 a1=1002 a2=1a4 a3=30 items=0 ppid=1 pid=25245 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c136,c886 key=(null)

Hash String generated from  selinux-policy-3.6.32-41.fc12,catchall,qemu-kvm,svirt_t,virt_content_t,blk_file,write
audit2allow suggests:

#============= svirt_t ==============
allow svirt_t virt_content_t:blk_file write;

--- Additional comment from dwalsh@redhat.com on 2009-11-11 13:32:59 EDT ---

If this device was a read/writable device it should have been given a different label

--- Additional comment from berrange@redhat.com on 2009-11-11 13:39:48 EDT ---

Please provide the libvirt XML configuration for this guest and the log file. As root run

  virsh dumpxml GUESTNAME

and save


--- Additional comment from pal@interexc.com on 2009-11-11 15:23:57 EDT ---

drive is r/w, but media was r/o

<domain type='kvm'>
    <type arch='x86_64' machine='pc-0.11'>hvm</type>
    <boot dev='hd'/>
  <clock offset='localtime'/>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/xp.img'/>
      <target dev='hda' bus='ide'/>
    <disk type='block' device='cdrom'>
      <driver name='qemu'/>
      <source dev='/dev/sr0'/>
      <target dev='hdc' bus='ide'/>
    <interface type='network'>
      <mac address='52:54:00:46:53:a5'/>
      <source network='default'/>
    <serial type='pty'>
      <source path='/dev/pts/4'/>
      <target port='0'/>
    <console type='pty' tty='/dev/pts/4'>
      <source path='/dev/pts/4'/>
      <target port='0'/>
    <input type='tablet' bus='usb'/>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
    <sound model='es1370'/>
      <model type='cirrus' vram='9216' heads='1'/>

LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-kvm -S -M pc-0.11 -m 512 -smp 1 -name xp -uuid e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5 -monitor unix:/var/lib/libvirt/qemu/xp.monitor,server,nowait -localtime -no-reboot -boot d -drive file=/var/lib/libvirt/images/xp.img,if=ide,index=0,format=raw -drive file=/dev/sr0,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:46:53:a5,vlan=0,name=nic.0 -net tap,fd=18,vlan=0,name=tap.0 -serial pty -parallel none -usb -usbdevice tablet -vnc -vga cirrus -soundhw es1370 
char device redirected to /dev/pts/4
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-kvm -S -M pc-0.11 -m 512 -smp 1 -name xp -uuid e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5 -monitor unix:/var/lib/libvirt/qemu/xp.monitor,server,nowait -localtime -boot c -drive file=/var/lib/libvirt/images/xp.img,if=ide,index=0,boot=on,format=raw -drive file=,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:46:53:a5,vlan=0,name=nic.0 -net tap,fd=18,vlan=0,name=tap.0 -serial pty -parallel none -usb -usbdevice tablet -vnc -vga cirrus -soundhw es1370 
char device redirected to /dev/pts/4
Comment 1 Mark McLoughlin 2009-11-19 06:07:17 EST
Um, Dan - could you provide some more info on exactly what you need done on the qemu side?
Comment 2 Kevin Wolf 2009-11-19 06:19:18 EST
Upstream commit 59f2689d introduces a readonly option for -drive. Is this what you're looking for? (Though I haven't checked if it really works as expected)
Comment 3 Daniel Berrange 2009-11-19 06:28:34 EST
The core requirement is that we have a 'readonly' flag for -drive, and when that is given,  QEMU must *never* open a file with O_WRONLY or O_RDWR, it must only use O_RDONLY. Any attempt to open it for write will trigger this SELinux violation. Optionally it can set some flag against that drive such that the guest sees that it is read only, but that's merely a nice-to-have.  

It looks like 59f2689d should satisfy that, but will need to test it to be sure
Comment 4 Daniel Walsh 2009-12-01 15:25:44 EST
*** Bug 532478 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2009-12-01 15:26:15 EST
*** Bug 543105 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2009-12-01 15:26:55 EST
*** Bug 543117 has been marked as a duplicate of this bug. ***
Comment 7 Daniel Walsh 2009-12-21 17:37:41 EST
*** Bug 549502 has been marked as a duplicate of this bug. ***
Comment 8 Fedora Admin XMLRPC Client 2010-03-09 12:18:59 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Bug Zapper 2010-11-04 02:29:03 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 10 Bug Zapper 2010-12-03 22:21:44 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.