Bug 1261127 - ISO should be labelled virt_content_t so qemu:///session svirt can use it
ISO should be labelled virt_content_t so qemu:///session svirt can use it
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
Unspecified Unspecified
low Severity low
: rc
: 7.3
Assigned To: Lukas Vrabec
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-08 12:17 EDT by Paramjit Oberoi
Modified: 2017-10-12 08:20 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-10-12 08:16:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paramjit Oberoi 2015-09-08 12:17:41 EDT
Mounting the ISO file in the VM fails due to SELinux errors. I had to run the following command to get it to work:

sudo chcon 'system_u:object_r:virt_content_t:s0' /usr/share/virtio-win/virtio-win-0.1.102.iso
Comment 1 Cole Robinson 2015-09-08 12:24:52 EDT
(In reply to Paramjit Oberoi from comment #0)
> Mounting the ISO file in the VM fails due to SELinux errors. I had to run
> the following command to get it to work:
> 
> sudo chcon 'system_u:object_r:virt_content_t:s0'
> /usr/share/virtio-win/virtio-win-0.1.102.iso

I assume this is using boxes or qemu:///session? Regular user won't have the permissions to relabel the media so that makes sense. Probably need to get a change into selinux-policy to label this media correctly for us
Comment 2 Paramjit Oberoi 2015-09-09 12:12:42 EDT
Yes, this was using boxes. I discovered the root cause it when I tried the same thing in VirtManager using qemu:///session, and it gave me a nice error message complaining about not being able to relabel the file. (Boxes just gave me a failure message without explanation.)
Comment 4 Miroslav Grepl 2015-12-18 05:48:05 EST
(In reply to Paramjit Oberoi from comment #0)
> Mounting the ISO file in the VM fails due to SELinux errors. I had to run
> the following command to get it to work:
> 
> sudo chcon 'system_u:object_r:virt_content_t:s0'
> /usr/share/virtio-win/virtio-win-0.1.102.iso

What errors are you getting?
Comment 7 Milos Malik 2017-08-17 03:39:14 EDT
Is it still relevant? Do you still see SELinux denials when re-running the scenario?
Comment 8 Paramjit Oberoi 2017-08-17 18:01:25 EDT
Sorry for the lack of updates. I'm pretty sure I have reinstalled virtio-win since filing this bug, and I have not run into this problem again. I haven't tried it on a freshly installed system though.

Given the lack of me-too comments here, I'd say it's safe to close this.
Comment 9 Lukas Vrabec 2017-10-12 08:16:48 EDT
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 10 Lukas Vrabec 2017-10-12 08:20:12 EDT
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.

Note You need to log in before you can comment on or make changes to this bug.