Bug 513968 - svirt preventing attaching a dvd/cdrom in virt-manager
svirt preventing attaching a dvd/cdrom in virt-manager
Status: CLOSED DUPLICATE of bug 496442
Product: Fedora
Classification: Fedora
Component: virt-manager (Show other bugs)
11
All Linux
high Severity medium
: ---
: ---
Assigned To: Daniel Berrange
Fedora Extras Quality Assurance
:
Depends On:
Blocks: F11VirtTarget
  Show dependency treegraph
 
Reported: 2009-07-27 07:06 EDT by Mark Wielaard
Modified: 2009-08-12 05:26 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-12 05:26:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark Wielaard 2009-07-27 07:06:38 EDT
Description of problem:

When trying to attach a dvd/cdrom to a running virtual machine you will get selinux denials and the cd doesn't show up in the guest.

Version-Release number of selected component (if applicable):

virt-manager-0.7.0-5.fc11.x86_64
qemu-kvm-0.10.5-3.fc11.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Go to a running virtual machine details tab
2. Click on disk hdc
3. Click on connect and select a cdrom (/dev/sr0 in my case).
  
Actual results:

selinux denials, cd doesn't show in guest

Expected results:

cd does show up in guest

Additional info:

setroubleshooter says:


Summary:

SELinux is preventing qemu-kvm (svirt_t) "getattr" removable_device_t.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c173,c806
Target Context                system_u:object_r:removable_device_t:s0
Target Objects                /dev/sr0 [ blk_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          springer.wildebeest.org
Source RPM Packages           qemu-system-x86-0.10.5-3.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-62.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     springer.wildebeest.org
Platform                      Linux springer.wildebeest.org
                              2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57
                              EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 27 Jul 2009 12:55:48 PM CEST
Last Seen                     Mon 27 Jul 2009 01:01:02 PM CEST
Local ID                      3fd74f4b-93c5-4e97-94d1-ba2b8f95b22a
Line Numbers                  

Raw Audit Messages            

node=springer.wildebeest.org type=AVC msg=audit(1248692462.839:107): avc:  denied  { getattr } for  pid=22188 comm="qemu-kvm" path="/dev/sr0" dev=tmpfs ino=583 scontext=system_u:system_r:svirt_t:s0:c173,c806 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file

node=springer.wildebeest.org type=SYSCALL msg=audit(1248692462.839:107): arch=c000003e syscall=4 success=no exit=-13 a0=e79930 a1=7fffede4d6c0 a2=7fffede4d6c0 a3=9 items=0 ppid=1 pid=22188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c173,c806 key=(null)



Summary:

SELinux is preventing qemu-kvm (svirt_t) "read" removable_device_t.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c173,c806
Target Context                system_u:object_r:removable_device_t:s0
Target Objects                sr0 [ blk_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          springer.wildebeest.org
Source RPM Packages           qemu-system-x86-0.10.5-3.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-62.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     springer.wildebeest.org
Platform                      Linux springer.wildebeest.org
                              2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57
                              EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 27 Jul 2009 12:55:48 PM CEST
Last Seen                     Mon 27 Jul 2009 01:01:02 PM CEST
Local ID                      d6715a71-5e7f-4f79-ab31-f18c2c977133
Line Numbers                  

Raw Audit Messages            

node=springer.wildebeest.org type=AVC msg=audit(1248692462.839:108): avc:  denied  { read } for  pid=22188 comm="qemu-kvm" name="sr0" dev=tmpfs ino=583 scontext=system_u:system_r:svirt_t:s0:c173,c806 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file

node=springer.wildebeest.org type=SYSCALL msg=audit(1248692462.839:108): arch=c000003e syscall=2 success=no exit=-13 a0=e79930 a1=1000 a2=1a4 a3=30 items=0 ppid=1 pid=22188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c173,c806 key=(null)
Comment 1 Daniel Walsh 2009-08-11 18:22:36 EDT
libvirt should have relabeled this to something svirt_t can read?
Comment 2 Daniel Berrange 2009-08-12 05:26:20 EDT

*** This bug has been marked as a duplicate of bug 496442 ***

Note You need to log in before you can comment on or make changes to this bug.