Red Hat Bugzilla – Bug 732461
QEMU rejects ide drives readonly unless CDROM. This stops SELinux readonly support from working.
Last modified: 2012-10-20 17:24:58 EDT
Description of problem:
When an IDE drive parameter "readonly=on" is passed to QEMU, QEMU will return an error that read-only ide drives cannot be used (except when its a CDROM).
To overcome this and allow SELinux to manage the readonly service via policy, libvirt should check the ide device and if CDROM and <readonly/> is set in the XML config file, then pass over "readonly=on".
If the ide device is not CDROM but <readonly/> is set in the XML config file, then do not pass over "readonly=on", this will allow QEMU to work and also SELinux to set the appropriate contexts for read-only management via the policy.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Using Virtual Machine Manager set VM details "IDE Disk 1" to "readonly"
2. Run VM and error will appear.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
That sounds like a valid idea. Does qemu still error on readonly=on? Maybe this isn't relevant anymore. Either way it's straightforward to test, so moving to F17 for further triage.
(In reply to comment #7)
> That sounds like a valid idea. Does qemu still error on readonly=on? Maybe
> this isn't relevant anymore. Either way it's straightforward to test, so
> moving to F17 for further triage.
I've just tested Fedora 17 and still has the same problem.
Actually thinking some more about this, I don't think there's anything to change here.
Requesting <readonly/> in the XML is not only about disk image permissions but about actually setting having the HW bits set as readonly. qemu is correctly reporting it can't handle a readonly IDE disk and we should honor that.
You can have libvirt use the RO selinux label for a particular disk using an <seclabel> element in the <disk> block, check the 'source' section here:
Closing as WONTFIX