Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Non-root user could list guests created by root in readonly mode
Version-Release number of selected component (if applicable):
- libvirt-0.8.7-13.el6.x86_64
- qemu-kvm-0.12.1.2-2.150.el6.x86_64
- 2.6.32-120.el6.x86_64
How reproducible:
always
Steps to Reproduce:
1.[test@dhcp-65-132 root]$ virsh -c qemu:///system --readonly
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh > list --all
Id Name State
----------------------------------
1 rhel6-qcow2 paused
- cdrom_test shut off
- demo shut off
- pxe shut off
virsh > dominfo rhel6-qcow2
Id: 1
Name: rhel6-qcow2
UUID: 1ad340df-65de-b140-6713-4427534eada7
OS Type: hvm
State: paused
CPU(s): 1
CPU time: 25.3s
Max memory: 1048576 kB
Used memory: 1048576 kB
Persistent: yes
Autostart: disable
Security model: selinux
Security DOI: 0
Security label: system_u:system_r:svirt_t:s0:c167,c187 (enforcing)
Actual results:
In not-root user, could do read operation for the guests created by root
Expected results:
In not-root user, could not do read operation for the guests created by root
Additional info:
In rhel6.0.z (libvirt-0.8.1-27.el6_0.5.x86_64.rpm), also exists this issue. But in read write mode, cannot list the guests created by root user.
Please ignore 'Additional info' in description, because on libvirt-0.8.1-27.el6_0.5.x86_64.rpm, non-root user cannot connect to qemu:///system in rw mode at all.
Is 'non-root user cannot connect qemu:///system in rw mode' an expected result ?
Also on libvirt-0.8.7-15.el6.x86_64
[test@localhost root]$ virsh -c qemu:///system
error: authentication failed
error: failed to connect to the hypervisor
Comment 3RHEL Program Management
2011-04-04 02:06:15 UTC
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.
Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
This is behavior by design. By default, a non-root user may issue read-only commands that will display the state of the system as defined by users with read-write access. If the default behavior isn't desirable for a particular situation, it can be configured to be more restrictive. See: http://libvirt.org/auth.html
Description of problem: Non-root user could list guests created by root in readonly mode Version-Release number of selected component (if applicable): - libvirt-0.8.7-13.el6.x86_64 - qemu-kvm-0.12.1.2-2.150.el6.x86_64 - 2.6.32-120.el6.x86_64 How reproducible: always Steps to Reproduce: 1.[test@dhcp-65-132 root]$ virsh -c qemu:///system --readonly Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh > list --all Id Name State ---------------------------------- 1 rhel6-qcow2 paused - cdrom_test shut off - demo shut off - pxe shut off virsh > dominfo rhel6-qcow2 Id: 1 Name: rhel6-qcow2 UUID: 1ad340df-65de-b140-6713-4427534eada7 OS Type: hvm State: paused CPU(s): 1 CPU time: 25.3s Max memory: 1048576 kB Used memory: 1048576 kB Persistent: yes Autostart: disable Security model: selinux Security DOI: 0 Security label: system_u:system_r:svirt_t:s0:c167,c187 (enforcing) Actual results: In not-root user, could do read operation for the guests created by root Expected results: In not-root user, could not do read operation for the guests created by root Additional info: In rhel6.0.z (libvirt-0.8.1-27.el6_0.5.x86_64.rpm), also exists this issue. But in read write mode, cannot list the guests created by root user.