Created attachment 340217 [details] Audit message Description of problem: I'm trying to use a USB storage device with a qemu-kvm guest by attaching the block device (/dev/sdc) as a USBMS device. SELinux appears to be blocking it. I'll attach the audit messages containing the full details. Note that one pertains to hal-addon-storage.
Created attachment 340218 [details] Audit message
Created attachment 340219 [details] Audit message
Created attachment 340220 [details] Audit message
You have combined two bugs together, I believe. The first one is that hal can not read a blk device labeled svirt_image_t, which is fixed in Fixed in selinux-policy-3.6.12-9.fc11.noarch THe second one looks like libvirt did not relabel a usb device to the appropriate svirt_image_t label. Which I believe is a bug in libvirt.
James: could try with selinux-policy-3.6.12-9.fc11 and attach your guest xml config and log file from /var/log/libvirt/qemu/${guest}.log ?
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Upstream fix is in commit 1795bfe4a177a5eff1b3b0a16d56df6f371c0f8e Author: Daniel P. Berrange <berrange> Date: Mon Jul 6 16:01:55 2009 +0100 Fix SELinux denial during hotplug * src/qemu_driver.c: Relabel disk images *before* running QEMU hotplug monitor commands
Built fix into libvirt-0.6.2-14.fc11
libvirt-0.6.2-14.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/libvirt-0.6.2-14.fc11
libvirt-0.6.2-14.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update libvirt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8333
*** Bug 513968 has been marked as a duplicate of this bug. ***
libvirt-0.6.2-14.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
I still receive this error: "SELinux is preventing qemu-system-x86 (svirt_t) "read" removable_device_t." when starting a virtual guest with virt-manager (Windows from a bootable DVD). Nevertheless, I have libvirt-0.6.2-18.fc11.x86_64 installed, so it should contain the abovementioned bugfix, right? Raw Audit Messages: node=xxx type=AVC msg=audit(1255355278.921:45634): avc: denied { read } for pid=27111 comm="qemu-system-x86" path="/dev/sr0" dev=tmpfs ino=741 scontext=system_u:system_r:svirt_t:s0:c104,c517 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file node=xxx type=SYSCALL msg=audit(1255355278.921:45634): arch=c000003e syscall=0 success=yes exit=0 a0=8 a1=7f8bf5270200 a2=800 a3=27 items=0 ppid=1 pid=27111 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=system_u:system_r:svirt_t:s0:c104,c517 key=(null) Anything else I can do to help trace this error message?
(In reply to comment #13) > I still receive this error: "SELinux is preventing qemu-system-x86 (svirt_t) > "read" removable_device_t." I don't think this is related to the original issue tracked by this bz. Could you file a new bug please? See http://fedoraproject.org/wiki/Reporting_virtualization_bugs for the kind of info that would be helpful