+++ This bug was initially created as a clone of Bug #536760 +++ \u0421\u0432\u043e\u0434\u043a\u0430: SELinux is preventing /usr/bin/qemu-kvm "write" access on sr0. \u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435: [qemu-kvm \u0437\u0430\u043f\u0443\u0449\u0435\u043d \u0432 \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u043c \u0440\u0435\u0436\u0438\u043c\u0435 (svirt_t). \u042d\u0442\u043e \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e.] SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. \u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. \u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f: \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a system_u:system_r:svirt_t:s0:c136,c886 \u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u041a\u043e\u043d\u0442\u0435\u043a\u0441 system_u:object_r:virt_content_t:s0 \u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b sr0 [ blk_file ] \u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a qemu-kvm \u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/usr/bin/qemu-kvm \u041f\u043e\u0440\u0442 <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e> \u0423\u0437\u0435\u043b underdark.thor.od.ua \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b qemu-system-x86-0.11.0-11.fc12 \u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 selinux-policy-3.6.32-41.fc12 Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430 True \u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 targeted MLS \u0430\u043a\u0442\u0438\u0432\u043d\u0430 True \u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 Enforcing \u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f catchall \u0418\u043c\u044f \u0445\u043e\u0441\u0442\u0430 underdark.thor.od.ua \u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430 Linux underdark.thor.od.ua 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 \u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 1 \u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u0421\u0440\u0434 11 \u041d\u043e\u044f 2009 10:59:58 \u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u0421\u0440\u0434 11 \u041d\u043e\u044f 2009 10:59:58 \u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID 247b391c-3766-45a9-ab32-ea1267c12338 \u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a \u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f node=underdark.thor.od.ua type=AVC msg=audit(1257929998.809:139): avc: denied { write } for pid=25245 comm="qemu-kvm" name="sr0" dev=tmpfs ino=3940 scontext=system_u:system_r:svirt_t:s0:c136,c886 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file node=underdark.thor.od.ua type=SYSCALL msg=audit(1257929998.809:139): arch=c000003e syscall=2 success=yes exit=128 a0=7fffb847a1a0 a1=1002 a2=1a4 a3=30 items=0 ppid=1 pid=25245 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c136,c886 key=(null) Hash String generated from selinux-policy-3.6.32-41.fc12,catchall,qemu-kvm,svirt_t,virt_content_t,blk_file,write audit2allow suggests: #============= svirt_t ============== allow svirt_t virt_content_t:blk_file write; --- Additional comment from dwalsh on 2009-11-11 13:32:59 EDT --- If this device was a read/writable device it should have been given a different label --- Additional comment from berrange on 2009-11-11 13:39:48 EDT --- Please provide the libvirt XML configuration for this guest and the log file. As root run virsh dumpxml GUESTNAME and save /var/log/libvirt/qemu/$GUESTNAME.log --- Additional comment from pal on 2009-11-11 15:23:57 EDT --- drive is r/w, but media was r/o <domain type='kvm'> <name>xp</name> <uuid>e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5</uuid> <memory>524288</memory> <currentMemory>524288</currentMemory> <vcpu>1</vcpu> <os> <type arch='x86_64' machine='pc-0.11'>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offset='localtime'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <emulator>/usr/bin/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw'/> <source file='/var/lib/libvirt/images/xp.img'/> <target dev='hda' bus='ide'/> </disk> <disk type='block' device='cdrom'> <driver name='qemu'/> <source dev='/dev/sr0'/> <target dev='hdc' bus='ide'/> <readonly/> </disk> <interface type='network'> <mac address='52:54:00:46:53:a5'/> <source network='default'/> </interface> <serial type='pty'> <source path='/dev/pts/4'/> <target port='0'/> </serial> <console type='pty' tty='/dev/pts/4'> <source path='/dev/pts/4'/> <target port='0'/> </console> <input type='tablet' bus='usb'/> <input type='mouse' bus='ps2'/> <graphics type='vnc' port='-1' autoport='yes'/> <sound model='es1370'/> <video> <model type='cirrus' vram='9216' heads='1'/> </video> </devices> </domain> LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-kvm -S -M pc-0.11 -m 512 -smp 1 -name xp -uuid e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5 -monitor unix:/var/lib/libvirt/qemu/xp.monitor,server,nowait -localtime -no-reboot -boot d -drive file=/var/lib/libvirt/images/xp.img,if=ide,index=0,format=raw -drive file=/dev/sr0,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:46:53:a5,vlan=0,name=nic.0 -net tap,fd=18,vlan=0,name=tap.0 -serial pty -parallel none -usb -usbdevice tablet -vnc 127.0.0.1:0 -vga cirrus -soundhw es1370 char device redirected to /dev/pts/4 LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-kvm -S -M pc-0.11 -m 512 -smp 1 -name xp -uuid e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5 -monitor unix:/var/lib/libvirt/qemu/xp.monitor,server,nowait -localtime -boot c -drive file=/var/lib/libvirt/images/xp.img,if=ide,index=0,boot=on,format=raw -drive file=,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:46:53:a5,vlan=0,name=nic.0 -net tap,fd=18,vlan=0,name=tap.0 -serial pty -parallel none -usb -usbdevice tablet -vnc 127.0.0.1:0 -vga cirrus -soundhw es1370 char device redirected to /dev/pts/4
Um, Dan - could you provide some more info on exactly what you need done on the qemu side?
Upstream commit 59f2689d introduces a readonly option for -drive. Is this what you're looking for? (Though I haven't checked if it really works as expected)
The core requirement is that we have a 'readonly' flag for -drive, and when that is given, QEMU must *never* open a file with O_WRONLY or O_RDWR, it must only use O_RDONLY. Any attempt to open it for write will trigger this SELinux violation. Optionally it can set some flag against that drive such that the guest sees that it is read only, but that's merely a nice-to-have. It looks like 59f2689d should satisfy that, but will need to test it to be sure
*** Bug 532478 has been marked as a duplicate of this bug. ***
*** Bug 543105 has been marked as a duplicate of this bug. ***
*** Bug 543117 has been marked as a duplicate of this bug. ***
*** Bug 549502 has been marked as a duplicate of this bug. ***
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.