Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 886456

Summary: change-media fail with permission denied on virtio scsi cdrom
Product: Red Hat Enterprise Linux 7 Reporter: Wayne Sun <gsun>
Component: libvirtAssignee: Peter Krempa <pkrempa>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: cwei, dyuan, eblake, hhan, lmiksik, mzhan, pkrempa, pzhang, rbalakri, weizhan, xuzhang, yanyang
Target Milestone: rcKeywords: TestOnly
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-1.2.17-8.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 05:36:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
change-media log file none

Description Wayne Sun 2012-12-12 10:31:25 UTC 
Description of problem:
virsh change-media fail with permission denied on scsi cdrom

Version-Release number of selected component (if applicable):
libvirt-0.10.2-11.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.337.el6.x86_64
kernel-2.6.32-345.el6.x86_64

How reproducible:
always

Steps to Reproduce:

1.create two iso via mkiso
# mkisofs -o /var/lib/libvirt/images/bb.iso /tmp

# ll -Z /var/lib/libvirt/images/bb.iso
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0
/var/lib/libvirt/images/bb.iso


2.setup a domain with empty scsi cdrom
...
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='sdc' bus='scsi' tray='open'/>
      <readonly/>
      <alias name='scsi0-0-1-0'/>
      <address type='drive' controller='0' bus='0' target='1' unit='0'/>
    </disk>
    <controller type='scsi' index='0' model='virtio-scsi'>
      <alias name='scsi0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </controller>
...

3. insert cdrom
# virsh change-media libvirt_test_api sdc /var/lib/libvirt/images/bb.iso
--insert
error: Failed to complete action insert on media
error: internal error unable to execute QEMU command 'change': Could not
open '/var/lib/libvirt/images/bb.iso': Permission denied

# virsh change-media libvirt_test_api sdc /var/lib/libvirt/images/bb.iso
--insert --force
error: Failed to complete action insert on media
error: internal error unable to execute QEMU command 'change': Could not
open '/var/lib/libvirt/images/bb.iso': Permission denied


4. edit domain xml
# mkisofs -o /tmp/aaa.iso /tmp

# ll -Z /tmp/aaa.iso
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/aaa.iso

# virsh edit libvirt_test_api
...
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/tmp/aaa.iso'/>
      <target dev='sdc' bus='scsi'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='1' unit='0'/>
    </disk>
...

# virsh start libvirt_test_api
Domain libvirt_test_api started

# ll -Z /tmp/aaa.iso
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 /tmp/aaa.iso


5. change-media with update

# virsh change-media libvirt_test_api sdc /var/lib/libvirt/images/bb.iso
--update --force
error: Failed to complete action update on media
error: internal error unable to execute QEMU command 'change': Could not
open '/var/lib/libvirt/images/bb.iso': Permission denied

6. eject
# virsh change-media libvirt_test_api sdc --eject
succeeded to complete action eject on media

7. make selinux permissive
# setenforce 0
# virsh change-media libvirt_test_api sdc /tmp/aaa.iso --insert
succeeded to complete action insert on media

It succeeded when selinux in permissive.

Actual results:
change-media fail with permission denied on scsi cdrom

Expected results:
should success

Additional info:
No AVC denial but only got:
# ausearch -m VIRT_RESOURCE
type=VIRT_RESOURCE msg=audit(1355306961.927:134802): user pid=7604 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=update vm="libvirt_test_api" uuid=05867c1a-afeb-300e-e55e-2673391ae080 old-disk="?" new-disk="/tmp/aaa.iso" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
Comment 6 Jiri Denemark 2014-04-04 21:37:17 UTC 
This bug was not selected to be addressed in Red Hat Enterprise Linux 6. We will look at it again within the Red Hat Enterprise Linux 7 product.
Comment 9 Peter Krempa 2015-09-15 06:08:36 UTC 
Steps 1-3 don't fail any more in the current versions but I didn't go through and try to find where we fixed it actually. Marking test-only.
Comment 10 Han Han 2015-09-22 10:59:32 UTC 
Peter, I test it in steps1-3 with latest libvirt. There is still a error when change-media.
Version:
libvirt-1.2.17-9.el7.x86_64
qemu-kvm-rhev-2.3.0-24.el7.x86_64
Steps:
1. Preparing a running guest, and an iso file.
# virsh list 
 Id    Name                           State
----------------------------------------------------
 10    t62                            running

# virsh dumpxml t62|awk '/<disk/,/<\/disk/'
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/t62.qcow2'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <backingStore/>
      <target dev='sdc' bus='scsi' tray='open'/>
      <readonly/>
      <alias name='scsi0-0-0-2'/>
      <address type='drive' controller='0' bus='0' target='0' unit='2'/>
    </disk>

# ls -Z /var/lib/libvirt/images/boot.iso 
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 /var/lib/libvirt/images/boot.iso

2. Run virsh change-media, the first time failed, the second time succeed.
# virsh change-media t62 sdc --insert /var/lib/libvirt/images/boot.iso                             
error: Failed to complete action insert on media
error: internal error: unable to execute QEMU command 'eject': Device 'drive-scsi0-0-0-2' is locked

# virsh change-media t62 sdc --insert /var/lib/libvirt/images/boot.iso                             
error: Failed to complete action insert on media
error: internal error: unable to execute QEMU command 'eject': Device 'drive-scsi0-0-0-2' is locked

The log is in change-media-log.

Is it an issue about qemu or libvirt?
Comment 11 Han Han 2015-09-22 11:00:51 UTC 
Created attachment 1075771 [details]
change-media log file
Comment 12 Peter Krempa 2015-09-22 11:15:31 UTC 
"Device 'drive-scsi0-0-0-2' is locked" means that the guest locked the CDROM drive. Please umount it from the guest to avoid that problem.
Comment 13 Han Han 2015-09-23 08:47:03 UTC 
(In reply to Peter Krempa from comment #12)
> "Device 'drive-scsi0-0-0-2' is locked" means that the guest locked the CDROM
> drive. Please umount it from the guest to avoid that problem.

But there is no CDROM mounted in guest when first time change-media and no media in cdrom. I think the issue is not related to guest's mount.

I mistook the second time change-media results in comment10. It should be:
# virsh change-media t62 sdc --insert /var/lib/libvirt/images/boot.iso 
Successfully inserted media.
Comment 14 Han Han 2015-10-12 06:36:38 UTC 
Peter, pls check the issue in Comment10 and Comment13
Comment 15 Han Han 2015-10-13 03:51:14 UTC 
Verify it in libvirt-1.2.17-13.el7.x86_64:
1. Enforce selinux and set iso selinux label
# setenforce 1
# chown qemu:qemu /var/lib/libvirt/images/bb.iso
# chcon -u system_u -r object_r -t virt_content_t  /var/lib/libvirt/images/bb.iso
# ls -Z /var/lib/libvirt/images/bb.iso
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 /var/lib/libvirt/images/bb.iso

2. Setup a domain with empty scsi cdrom
...
<disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='sdc' bus='scsi'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='2'/>
    </disk>
   <controller type='scsi' index='0' model='virtio-scsi'>
      <alias name='scsi0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </controller>
...

3. Insert cdrom
# virsh start t111
Domain t111 started
# virsh change-media t111 sdc  /var/lib/libvirt/images/bb.iso --insert
Successfully inserted media.
Login guest, mount and read the media successfully.

4. Update cdrom
Destroy and start t111
# virsh destroy t111&&virsh start t111
Domain t111 destroyed
Domain t111 started
update the cdrom
# virsh change-media t111 sdc  /var/lib/libvirt/images/bb.iso --update                          
Successfully updated media.

5.Get selinux info
# ausearch -m VIRT_RESOURCE|grep t111
type=VIRT_RESOURCE msg=audit(1444707931.767:34143): pid=5574 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=update vm="t111" uuid=11b957c8-2e76-44f5-9959-791d350a4215 old-disk="?" new-disk="/var/lib/libvirt/images/bb.iso" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
Comment 16 Han Han 2015-10-13 07:56:36 UTC 
For the issues in Comment10, refer to https://bugzilla.redhat.com/show_bug.cgi?id=1271069
Comment 18 errata-xmlrpc 2015-11-19 05:36:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html