Bug 207165 - Can't boot a fullyvirt guest off a physical CDROM device
Summary: Can't boot a fullyvirt guest off a physical CDROM device
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2006-09-19 19:39 UTC by Daniel Berrange
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-01 18:51:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
libvirt XML for creating HVM guest (837 bytes, text/plain)
2006-09-19 19:39 UTC, Daniel Berrange
no flags Details

Description Daniel Berrange 2006-09-19 19:39:41 UTC
Description of problem:
If I attempt to create a HVM (fullyvirt) guest, configuring a virtual CDROM
device mapped through to the host's real CDROM (eg, /dev/cdrom) the guest
crashes immediately. The Xend.log shows:

[2006-09-19 15:34:46 xend 2686] DEBUG (blkif:24) exception looking up device
number for hda: [Errno 13] Permission denied: '/dev/hda'

And audit.log shows:

type=AVC msg=audit(1158694570.789:1645): avc:  denied  { getattr } for  pid=3078
comm="python" name="hda" dev=tmpfs ino=5399 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1158694570.789:1645): arch=c000003e syscall=4 success=yes
exit=0 a0=72a3c0 a1=427ffe00 a2=427ffe00 a3=72a3c0 items=0 ppid=2685 pid=3078
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0
type=AVC_PATH msg=audit(1158694570.789:1645):  path="/dev/hda"

NB, on this example host system,  /dev/hda really *is* the CDROM device - the
harddrive is under SCSI namespace instead.

It looks like 'xen_t' needs to be given accesss  to files labeled with the file
context 'removable_device_t'
Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a guest machine configured to boot off the host's cdrom
2. Start the geust
3. Wait a couple of seconds
Actual results:
Guest crashes & logs permission denied on the host cdrom path

Expected results:
Guest boots the CROM image

Additional info:
Attaching an example libvirt XML config which can be run  with 'virsh create
demo.xml' (assuming you've created the /xen/qqq.img sparse file for its root fs)

Comment 1 Daniel Berrange 2006-09-19 19:39:42 UTC
Created attachment 136670 [details]
libvirt XML for creating HVM guest

Comment 2 James Morris 2006-09-19 20:01:19 UTC
Yep, although it's xend_t.

Comment 3 Daniel Walsh 2006-09-19 20:09:18 UTC
Fixed in selinux-policy-2.3.14-5

Comment 4 Daniel Berrange 2007-08-01 18:51:50 UTC
Was fixed a while ago...

Note You need to log in before you can comment on or make changes to this bug.