Bug 741567

Summary: SELinux prevents write access to /dev/sr0 (CDROM)
Product: [Fedora] Fedora Reporter: Martin Wilck <martin.wilck>
Component: qemuAssignee: Fedora Virtualization Maintainers <virt-maint>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: amit.shah, berrange, crobinso, dougsland, dwmw2, ehabkost, itamar, jaswinder, jforbes, knoel, scottt.tw, tburke, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-28 19:55:25 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
screenshot of sealert none

Description Martin Wilck 2011-09-27 06:02:36 EDT
Created attachment 525078 [details]
screenshot of sealert

Description of problem:
SELinux is preventing /usr/bin/qemu-kvm from write access on the blk_file sr0. For complete SELinux messages. run sealert -l 0ebd25db-0a0a-4762-b0a0-80df675300cf

sealert -l 0ebd25db-0a0a-4762-b0a0-80df675300cf

SELinux is preventing /usr/bin/qemu-kvm from write access on the blk_file sr0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qemu-kvm should be allowed write access on the sr0 blk_file by default.
Then you should report this as a bug.

Version-Release number of selected component (if applicable):
qemu-kvm-0.14.0-7.fc15
selinux-policy-targeted-3.9.16-26.fc15

From audit.log:

type=AVC msg=audit(1317114972.590:4035): avc:  denied  { write } for  pid=12144 comm="qemu-kvm" name="sr0" dev=devtmpfs ino=1199 scontext=system_u:system_r:svirt_t:s0:c723,c875 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file

How reproducible:
always

Steps to Reproduce:
1. Start VM with CD-ROM "disconnected" (qemu is accessing /dev/sr0 physical CD-ROM driver, CD is inserted).
2.When guest OS asks for CD insertion, click on "connect" in virt-manager CD-ROM tab

  
Actual results:
Permission denied error (see above).

Expected results:
This basic ioperation should be possible

Additional info:
Strace of qemu shows that it is requesting RW access on the CD-ROM drive although the device is configured as readonly device.
Comment 1 Fedora Admin XMLRPC Client 2012-03-15 13:54:10 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Cole Robinson 2012-05-28 19:55:25 EDT
This is fixed in Fedora 16 and later AIUI, but it needed some qemu cooperation which won't be backported, since F15 is end of life in a month. If you are still seeing this issue with a more recent Fedora, please reopen this report.