886456 – change-media fail with permission denied on virtio scsi cdrom

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 886456 - change-media fail with permission denied on virtio scsi cdrom

Summary: change-media fail with permission denied on virtio scsi cdrom

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Krempa
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-12 10:31 UTC by Wayne Sun
Modified:	2016-04-26 15:20 UTC (History)
CC List:	12 users (show)
Fixed In Version:	libvirt-1.2.17-8.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 05:36:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
change-media log file (14.91 KB, application/zip) 2015-09-22 11:00 UTC, Han Han	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2202	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2015-11-19 08:17:58 UTC

Description Wayne Sun 2012-12-12 10:31:25 UTC

Description of problem:
virsh change-media fail with permission denied on scsi cdrom

Version-Release number of selected component (if applicable):
libvirt-0.10.2-11.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.337.el6.x86_64
kernel-2.6.32-345.el6.x86_64

How reproducible:
always

Steps to Reproduce:

1.create two iso via mkiso
# mkisofs -o /var/lib/libvirt/images/bb.iso /tmp

# ll -Z /var/lib/libvirt/images/bb.iso
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0
/var/lib/libvirt/images/bb.iso


2.setup a domain with empty scsi cdrom
...
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='sdc' bus='scsi' tray='open'/>
      <readonly/>
      <alias name='scsi0-0-1-0'/>
      <address type='drive' controller='0' bus='0' target='1' unit='0'/>
    </disk>
    <controller type='scsi' index='0' model='virtio-scsi'>
      <alias name='scsi0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </controller>
...

3. insert cdrom
# virsh change-media libvirt_test_api sdc /var/lib/libvirt/images/bb.iso
--insert
error: Failed to complete action insert on media
error: internal error unable to execute QEMU command 'change': Could not
open '/var/lib/libvirt/images/bb.iso': Permission denied

# virsh change-media libvirt_test_api sdc /var/lib/libvirt/images/bb.iso
--insert --force
error: Failed to complete action insert on media
error: internal error unable to execute QEMU command 'change': Could not
open '/var/lib/libvirt/images/bb.iso': Permission denied


4. edit domain xml
# mkisofs -o /tmp/aaa.iso /tmp

# ll -Z /tmp/aaa.iso
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/aaa.iso

# virsh edit libvirt_test_api
...
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/tmp/aaa.iso'/>
      <target dev='sdc' bus='scsi'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='1' unit='0'/>
    </disk>
...

# virsh start libvirt_test_api
Domain libvirt_test_api started

# ll -Z /tmp/aaa.iso
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 /tmp/aaa.iso


5. change-media with update

# virsh change-media libvirt_test_api sdc /var/lib/libvirt/images/bb.iso
--update --force
error: Failed to complete action update on media
error: internal error unable to execute QEMU command 'change': Could not
open '/var/lib/libvirt/images/bb.iso': Permission denied

6. eject
# virsh change-media libvirt_test_api sdc --eject
succeeded to complete action eject on media

7. make selinux permissive
# setenforce 0
# virsh change-media libvirt_test_api sdc /tmp/aaa.iso --insert
succeeded to complete action insert on media

It succeeded when selinux in permissive.

Actual results:
change-media fail with permission denied on scsi cdrom

Expected results:
should success

Additional info:
No AVC denial but only got:
# ausearch -m VIRT_RESOURCE
type=VIRT_RESOURCE msg=audit(1355306961.927:134802): user pid=7604 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=update vm="libvirt_test_api" uuid=05867c1a-afeb-300e-e55e-2673391ae080 old-disk="?" new-disk="/tmp/aaa.iso" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'

Comment 6 Jiri Denemark 2014-04-04 21:37:17 UTC

This bug was not selected to be addressed in Red Hat Enterprise Linux 6. We will look at it again within the Red Hat Enterprise Linux 7 product.

Comment 9 Peter Krempa 2015-09-15 06:08:36 UTC

Steps 1-3 don't fail any more in the current versions but I didn't go through and try to find where we fixed it actually. Marking test-only.

Comment 10 Han Han 2015-09-22 10:59:32 UTC

Peter, I test it in steps1-3 with latest libvirt. There is still a error when change-media.
Version:
libvirt-1.2.17-9.el7.x86_64
qemu-kvm-rhev-2.3.0-24.el7.x86_64
Steps:
1. Preparing a running guest, and an iso file.
# virsh list 
 Id    Name                           State
----------------------------------------------------
 10    t62                            running

# virsh dumpxml t62|awk '/<disk/,/<\/disk/'
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/t62.qcow2'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <backingStore/>
      <target dev='sdc' bus='scsi' tray='open'/>
      <readonly/>
      <alias name='scsi0-0-0-2'/>
      <address type='drive' controller='0' bus='0' target='0' unit='2'/>
    </disk>

# ls -Z /var/lib/libvirt/images/boot.iso 
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 /var/lib/libvirt/images/boot.iso

2. Run virsh change-media, the first time failed, the second time succeed.
# virsh change-media t62 sdc --insert /var/lib/libvirt/images/boot.iso                             
error: Failed to complete action insert on media
error: internal error: unable to execute QEMU command 'eject': Device 'drive-scsi0-0-0-2' is locked

# virsh change-media t62 sdc --insert /var/lib/libvirt/images/boot.iso                             
error: Failed to complete action insert on media
error: internal error: unable to execute QEMU command 'eject': Device 'drive-scsi0-0-0-2' is locked

The log is in change-media-log.

Is it an issue about qemu or libvirt?

Comment 11 Han Han 2015-09-22 11:00:51 UTC

Created attachment 1075771 [details]
change-media log file

Comment 12 Peter Krempa 2015-09-22 11:15:31 UTC

"Device 'drive-scsi0-0-0-2' is locked" means that the guest locked the CDROM drive. Please umount it from the guest to avoid that problem.

Comment 13 Han Han 2015-09-23 08:47:03 UTC

(In reply to Peter Krempa from comment #12)
> "Device 'drive-scsi0-0-0-2' is locked" means that the guest locked the CDROM
> drive. Please umount it from the guest to avoid that problem.

But there is no CDROM mounted in guest when first time change-media and no media in cdrom. I think the issue is not related to guest's mount.

I mistook the second time change-media results in comment10. It should be:
# virsh change-media t62 sdc --insert /var/lib/libvirt/images/boot.iso 
Successfully inserted media.

Comment 14 Han Han 2015-10-12 06:36:38 UTC

Peter, pls check the issue in Comment10 and Comment13

Comment 15 Han Han 2015-10-13 03:51:14 UTC

Verify it in libvirt-1.2.17-13.el7.x86_64:
1. Enforce selinux and set iso selinux label
# setenforce 1
# chown qemu:qemu /var/lib/libvirt/images/bb.iso
# chcon -u system_u -r object_r -t virt_content_t  /var/lib/libvirt/images/bb.iso
# ls -Z /var/lib/libvirt/images/bb.iso
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 /var/lib/libvirt/images/bb.iso

2. Setup a domain with empty scsi cdrom
...
<disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='sdc' bus='scsi'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='2'/>
    </disk>
   <controller type='scsi' index='0' model='virtio-scsi'>
      <alias name='scsi0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </controller>
...

3. Insert cdrom
# virsh start t111
Domain t111 started
# virsh change-media t111 sdc  /var/lib/libvirt/images/bb.iso --insert
Successfully inserted media.
Login guest, mount and read the media successfully.

4. Update cdrom
Destroy and start t111
# virsh destroy t111&&virsh start t111
Domain t111 destroyed
Domain t111 started
update the cdrom
# virsh change-media t111 sdc  /var/lib/libvirt/images/bb.iso --update                          
Successfully updated media.

5.Get selinux info
# ausearch -m VIRT_RESOURCE|grep t111
type=VIRT_RESOURCE msg=audit(1444707931.767:34143): pid=5574 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=update vm="t111" uuid=11b957c8-2e76-44f5-9959-791d350a4215 old-disk="?" new-disk="/var/lib/libvirt/images/bb.iso" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

Comment 16 Han Han 2015-10-13 07:56:36 UTC

For the issues in Comment10, refer to https://bugzilla.redhat.com/show_bug.cgi?id=1271069

Comment 18 errata-xmlrpc 2015-11-19 05:36:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html

Note You need to log in before you can comment on or make changes to this bug.