Bug 207165 - Can't boot a fullyvirt guest off a physical CDROM device
Can't boot a fullyvirt guest off a physical CDROM device
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-19 15:39 EDT by Daniel Berrange
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-01 14:51:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
libvirt XML for creating HVM guest (837 bytes, text/plain)
2006-09-19 15:39 EDT, Daniel Berrange
no flags Details

  None (edit)
Description Daniel Berrange 2006-09-19 15:39:41 EDT
Description of problem:
If I attempt to create a HVM (fullyvirt) guest, configuring a virtual CDROM
device mapped through to the host's real CDROM (eg, /dev/cdrom) the guest
crashes immediately. The Xend.log shows:

[2006-09-19 15:34:46 xend 2686] DEBUG (blkif:24) exception looking up device
number for hda: [Errno 13] Permission denied: '/dev/hda'

And audit.log shows:

type=AVC msg=audit(1158694570.789:1645): avc:  denied  { getattr } for  pid=3078
comm="python" name="hda" dev=tmpfs ino=5399 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1158694570.789:1645): arch=c000003e syscall=4 success=yes
exit=0 a0=72a3c0 a1=427ffe00 a2=427ffe00 a3=72a3c0 items=0 ppid=2685 pid=3078
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0
key=(null)
type=AVC_PATH msg=audit(1158694570.789:1645):  path="/dev/hda"

NB, on this example host system,  /dev/hda really *is* the CDROM device - the
harddrive is under SCSI namespace instead.

It looks like 'xen_t' needs to be given accesss  to files labeled with the file
context 'removable_device_t'
 
Version-Release number of selected component (if applicable):
xen-3.0.2-33
selinux-policy-2.3.13-5
selinux-policy-targeted-2.3.13-5
policycoreutils-1.30.29-1

How reproducible:
ALWAYS

Steps to Reproduce:
1. Create a guest machine configured to boot off the host's cdrom
2. Start the geust
3. Wait a couple of seconds
  
Actual results:
Guest crashes & logs permission denied on the host cdrom path

Expected results:
Guest boots the CROM image

Additional info:
Attaching an example libvirt XML config which can be run  with 'virsh create
demo.xml' (assuming you've created the /xen/qqq.img sparse file for its root fs)
Comment 1 Daniel Berrange 2006-09-19 15:39:42 EDT
Created attachment 136670 [details]
libvirt XML for creating HVM guest
Comment 2 James Morris 2006-09-19 16:01:19 EDT
Yep, although it's xend_t.
Comment 3 Daniel Walsh 2006-09-19 16:09:18 EDT
Fixed in selinux-policy-2.3.14-5
Comment 4 Daniel Berrange 2007-08-01 14:51:50 EDT
Was fixed a while ago...

Note You need to log in before you can comment on or make changes to this bug.