601135 – Unable to change CDROM media when SELinux is enforcing readonly access to image

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 601135 - Unable to change CDROM media when SELinux is enforcing readonly access to image

Summary: Unable to change CDROM media when SELinux is enforcing readonly access to image

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Berrangé
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	602186
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-07 10:10 UTC by dyuan
Modified:	2010-09-09 07:38 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-06-23 07:13:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description dyuan 2010-06-07 10:10:33 UTC

Description of problem:

insert a cd(just like iso) into vm cdrom using attach-disk , failed with "internal error unable to execute QEMU command 'change'"

Version-Release number of selected component (if applicable):
libvirt-0.8.1-7.el6.x86_64
qemu-kvm-0.12.1.2-2.68.el6.x86_64
kernel-2.6.32-30.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. prepare a vm with cdrom 
# virsh dumpxml snapshot-4
...
<disk type='file' device='cdrom'>
      <driver name='qemu'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <alias name='ide0-1-0'/>
      <address type='drive' controller='0' bus='1' unit='0'/>
    </disk>
    <controller type='ide' index='0'>
      <alias name='ide0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
...

2. insert an iso into vm cdrom. 
# virsh attach-disk snapshot-4 /var/lib/libvirt/images/test.iso hdc --driver file --type cdrom --mode readonly


Actual results:

# virsh attach-disk snapshot-4 /var/lib/libvirt/images/test.iso hdc --driver file --type cdrom --mode readonly
error: Failed to attach disk
error: internal error unable to execute QEMU command 'change': An undefined error has ocurred

Expected results:
iso can be inserted successfully.

Additional info:

that's ok for qemu:

# /usr/libexec/qemu-kvm -S -M rhel6.0.0 -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -name snapshot-4 -uuid 555cc7fc-b3df-786f-b73a-4e876a654b9c -nodefaults -rtc base=utc -boot c -drive file=/var/lib/libvirt/images/snapshot-4.img,if=none,id=drive-virtio-disk0,boot=on,format=raw -device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0 -drive file=/mnt/vol/shareable.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -vnc 127.0.0.1:1 -k en-us -vga cirrus -device AC97,id=sound0,bus=pci.0,addr=0x5 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 -monitor stdio
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) info block
drive-virtio-disk0: type=hd removable=0 file=/var/lib/libvirt/images/snapshot-4.img ro=0 drv=raw encrypted=0
drive-ide0-1-0: type=cdrom removable=1 locked=0 [not inserted]
(qemu) change drive-ide0-1-0 /mnt/vol/shareable.iso
(qemu) info block
drive-virtio-disk0: type=hd removable=0 file=/var/lib/libvirt/images/snapshot-4.img ro=0 drv=raw encrypted=0
drive-ide0-1-0: type=cdrom removable=1 locked=0 file=/mnt/vol/shareable.iso ro=0 drv=raw encrypted=0


# man virsh 
...
attach-disk domain-id source target optional --driver driver --subdriver subdriver --type type --mode mode
Attach a new disk device to the domain.  source and target are paths for the files and devices. driver can be file, tap or phy depending on the kind of access. type can indicate cdrom or floppy as alternative to the disk default.  mode can specify the two specific mode readonly or shareable.
...

Comment 2 RHEL Program Management 2010-06-07 17:03:31 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 3 Daniel Berrangé 2010-06-09 09:05:51 UTC

Tracing QEMU shows

19215 stat("/var/lib/libvirt/images/boot.iso", {st_mode=S_IFREG|0644, st_size=203423744, ...}) = 0
19215 stat("/var/lib/libvirt/images/boot.iso", {st_mode=S_IFREG|0644, st_size=203423744, ...}) = 0
19215 open("/var/lib/libvirt/images/boot.iso", O_RDONLY|O_SYNC|O_CLOEXEC) = 21
19215 close(21)                         = 0
19215 stat("/var/lib/libvirt/images/boot.iso", {st_mode=S_IFREG|0644, st_size=203423744, ...}) = 0
19215 open("/var/lib/libvirt/images/boot.iso", O_RDWR|O_SYNC|O_CLOEXEC) = -1 EACCES (Permission denied)
19215 write(19, "{\"error\": {\"class\": \"UndefinedError\", \"desc\": \"An undefined error has ocurred\", \"data\": {}}}\r\n", 94) = 94

So it opens it readonly to start with, then for some reason, closes it and retries read-write and fails.

Comment 4 Daniel Berrangé 2010-06-09 10:42:27 UTC

After looking at this there are several problems at the QEMU level

 - The EACCESS error condition is not being reported back via QMP properly

 - Either 
    * QEMU needs to honour the original 'readonly=on' flag for this device when
changing media
   Or
    * The 'change' command needs to allow specification of the readonly flag
for the new media


Since fixing the latter problem will also require libvirt changes, I'm leaving this bug assigned to libvirt and have open bug 602186 for qemu-kvm.

Comment 5 Daniel Berrangé 2010-06-22 14:36:41 UTC

Please retest this bug with  qemu-kvm-0.12.1.2-2.78.el6 which has a suitable fix present

Comment 6 dyuan 2010-06-23 01:37:00 UTC

Retest with qemu-kvm-0.12.1.2-2.79.el6, attached successfully.

# virsh attach-disk snapshot-4 /var/lib/libvirt/images/test.iso hdc --driver
file --type cdrom --mode readonly
Disk attached successfully

Comment 7 Nan Zhang 2010-09-09 07:38:04 UTC

Verified with libvirt-0.8.1-27.el6.x86_64 & qemu-kvm-0.12.1.2-2.113.el6.x86_64.

# virsh attach-disk rhel6 /var/lib/libvirt/boot/boot.iso hdc --driver file --type cdrom --mode readonly
Disk attached successfully

Note You need to log in before you can comment on or make changes to this bug.