Bug 496442 - libvirt only relabels disks *after* hotplugging them into QEMU
libvirt only relabels disks *after* hotplugging them into QEMU
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
11
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Veillard
Fedora Extras Quality Assurance
:
: 513968 (view as bug list)
Depends On:
Blocks: F11VirtTarget
  Show dependency treegraph
 
Reported: 2009-04-19 04:55 EDT by James
Modified: 2009-10-13 06:24 EDT (History)
9 users (show)

See Also:
Fixed In Version: 0.6.2-14.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-15 04:30:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Audit message (2.85 KB, text/plain)
2009-04-19 04:55 EDT, James
no flags Details
Audit message (2.84 KB, text/plain)
2009-04-19 04:55 EDT, James
no flags Details
Audit message (2.61 KB, text/plain)
2009-04-19 04:55 EDT, James
no flags Details
Audit message (2.46 KB, text/plain)
2009-04-19 04:56 EDT, James
no flags Details

  None (edit)
Description James 2009-04-19 04:55:05 EDT
Created attachment 340217 [details]
Audit message

Description of problem:
I'm trying to use a USB storage device with a qemu-kvm guest by attaching the block device (/dev/sdc) as a USBMS device. SELinux appears to be blocking it. I'll attach the audit messages containing the full details. Note that one pertains to hal-addon-storage.
Comment 1 James 2009-04-19 04:55:27 EDT
Created attachment 340218 [details]
Audit message
Comment 2 James 2009-04-19 04:55:49 EDT
Created attachment 340219 [details]
Audit message
Comment 3 James 2009-04-19 04:56:27 EDT
Created attachment 340220 [details]
Audit message
Comment 4 Daniel Walsh 2009-04-20 08:10:42 EDT
You have combined two bugs together, I believe.  The first one is that hal can not read a blk device labeled svirt_image_t, which is fixed in 



Fixed in selinux-policy-3.6.12-9.fc11.noarch

THe second one looks like libvirt did not relabel a usb device to the appropriate svirt_image_t label.   Which I believe is a bug in libvirt.
Comment 5 Mark McLoughlin 2009-04-20 09:09:32 EDT
James: could try with selinux-policy-3.6.12-9.fc11 and attach your guest xml config and log file from /var/log/libvirt/qemu/${guest}.log ?
Comment 6 Bug Zapper 2009-06-09 10:06:27 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Daniel Berrange 2009-08-04 11:47:44 EDT
Upstream fix is in

commit 1795bfe4a177a5eff1b3b0a16d56df6f371c0f8e
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Mon Jul 6 16:01:55 2009 +0100

    Fix SELinux denial during hotplug
    
    * src/qemu_driver.c: Relabel disk images *before* running QEMU
    hotplug monitor commands
Comment 8 Daniel Berrange 2009-08-05 12:08:08 EDT
Built fix into libvirt-0.6.2-14.fc11
Comment 9 Fedora Update System 2009-08-05 12:13:00 EDT
libvirt-0.6.2-14.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libvirt-0.6.2-14.fc11
Comment 10 Fedora Update System 2009-08-07 01:00:43 EDT
libvirt-0.6.2-14.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libvirt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8333
Comment 11 Daniel Berrange 2009-08-12 05:26:20 EDT
*** Bug 513968 has been marked as a duplicate of this bug. ***
Comment 12 Fedora Update System 2009-08-15 04:30:03 EDT
libvirt-0.6.2-14.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Erik Logtenberg 2009-10-12 09:59:10 EDT
I still receive this error: "SELinux is preventing qemu-system-x86 (svirt_t) "read" removable_device_t." when starting a virtual guest with virt-manager (Windows from a bootable DVD).

Nevertheless, I have libvirt-0.6.2-18.fc11.x86_64 installed, so it should contain the abovementioned bugfix, right?

Raw Audit Messages:

node=xxx type=AVC msg=audit(1255355278.921:45634): avc: denied { read } for pid=27111 comm="qemu-system-x86" path="/dev/sr0" dev=tmpfs ino=741 scontext=system_u:system_r:svirt_t:s0:c104,c517 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file

node=xxx type=SYSCALL msg=audit(1255355278.921:45634): arch=c000003e syscall=0 success=yes exit=0 a0=8 a1=7f8bf5270200 a2=800 a3=27 items=0 ppid=1 pid=27111 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=system_u:system_r:svirt_t:s0:c104,c517 key=(null)

Anything else I can do to help trace this error message?
Comment 14 Mark McLoughlin 2009-10-13 06:24:18 EDT
(In reply to comment #13)
> I still receive this error: "SELinux is preventing qemu-system-x86 (svirt_t)
> "read" removable_device_t."

I don't think this is related to the original issue tracked by this bz. Could you file a new bug please?

See http://fedoraproject.org/wiki/Reporting_virtualization_bugs for the kind of info that would be helpful

Note You need to log in before you can comment on or make changes to this bug.