Bug 732461 - QEMU rejects ide drives readonly unless CDROM. This stops SELinux readonly support from working.
QEMU rejects ide drives readonly unless CDROM. This stops SELinux readonly su...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
17
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Libvirt Maintainers
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-22 10:34 EDT by Richard Haines
Modified: 2012-10-20 17:24 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-20 17:24:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Richard Haines 2011-08-22 10:34:36 EDT
Description of problem:
When an IDE drive parameter "readonly=on" is passed to QEMU, QEMU will return an error that read-only ide drives cannot be used (except when its a CDROM).

To overcome this and allow SELinux to manage the readonly service via policy, libvirt should check the ide device and if CDROM and <readonly/> is set in the XML config file, then pass over "readonly=on".

If the ide device is not CDROM but <readonly/> is set in the XML config file, then do not pass over "readonly=on", this will allow QEMU to work and also SELinux to set the appropriate contexts for read-only management via the policy.

Version-Release number of selected component (if applicable):
libvirt-0.8.8-7.fc15.x86_64
with:
qemu-system-x86-0.14.0-7.fc15.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Using Virtual Machine Manager set VM details "IDE Disk 1" to "readonly"
2. Run VM and error will appear.
Comment 1 Fedora Admin XMLRPC Client 2011-09-22 13:53:13 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Fedora Admin XMLRPC Client 2011-09-22 13:57:05 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Fedora Admin XMLRPC Client 2011-11-30 15:03:50 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Fedora Admin XMLRPC Client 2011-11-30 15:03:55 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Fedora Admin XMLRPC Client 2011-11-30 15:08:18 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Fedora Admin XMLRPC Client 2011-11-30 15:08:24 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Cole Robinson 2012-06-06 20:33:37 EDT
That sounds like a valid idea. Does qemu still error on readonly=on? Maybe this isn't relevant anymore. Either way it's straightforward to test, so moving to F17 for further triage.
Comment 8 Richard Haines 2012-06-08 11:53:38 EDT
(In reply to comment #7)
> That sounds like a valid idea. Does qemu still error on readonly=on? Maybe
> this isn't relevant anymore. Either way it's straightforward to test, so
> moving to F17 for further triage.

I've just tested Fedora 17 and still has the same problem.
Comment 9 Cole Robinson 2012-10-20 17:24:58 EDT
Actually thinking some more about this, I don't think there's anything to change here.

Requesting <readonly/> in the XML is not only about disk image permissions but about actually setting having the HW bits set as readonly. qemu is correctly reporting it can't handle a readonly IDE disk and we should honor that.

You can have libvirt use the RO selinux label for a particular disk using an <seclabel> element in the <disk> block, check the 'source' section here:

http://libvirt.org/formatdomain.html#elementsDisks

Closing as WONTFIX

Note You need to log in before you can comment on or make changes to this bug.