Bug 1044131

Summary: Redirection of USB device causes error
Product: [Fedora] Fedora Reporter: Aram Agajanian <agajania>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dwalsh, hdegoede
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-116.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-16 07:08:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Output of command "ausearch -m user_avc -ts recent" after hotplugging a USB flash drive with remote-viewer connected to a virtual desktop and unconfined_mozilla_plugin_transition=on. none

Description Aram Agajanian 2013-12-17 21:07:40 UTC 
Description of problem:
When I bring up a RHEV 3.2 virtual desktop from the User Portal and then try to redirect a USB device, an SELinux error like the following pops up.

USB redirection error: Could not auto-redirect USB Flash Memory [0930:6508] at 2-12: Error setting USB device node ACL: 'Error PoliciKit error: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.151" (uid=0 pid=6563 comm="/usr/libexec/spice-gtk-x86_64//spice-client-glib-u") interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" error name="(unset)" requested_reply="0" destination=":1.9" (uid=999 pid=921 comm="/usr/lib/polkit-1/polkitd --no-debug ")'

Version-Release number of selected component (if applicable):
usbredir-0.6-5.fc20.x86_64

How reproducible:
Happens every time.

Steps to Reproduce:
1. Log into RHEV 3.2 User Portal.
2. Attach to a virtual desktop.
3. Make sure that "Enable USB Auto-share" is enabled in the User Portal Console Options.
4. Hotplug a USB flash drive.

Actual results:
An error message pops up.

Expected results:
The USB flash drive should be redirected to the virtual desktop.

Additional info:
If I run the command "setenforce 0" as root, then the USB flash drive will be redirected properly.
Comment 1 Hans de Goede 2013-12-18 08:59:32 UTC 
This seems to be an selinux issue, re-assigning
Comment 2 Aram Agajanian 2013-12-18 17:36:36 UTC 
Running the following command (provided by the SELinux Troubleshooter) seems to have stopped the error from happening when I hotplug the flash drive:

setsebool -P unconfined_mozilla_plugin_transition 0
Comment 3 Hans de Goede 2013-12-18 18:54:10 UTC 
Ah, right, you're starting virt-viewer through the xpi browser plugin, hmm.

Selinux people any ideas how to solve this, virt-viewer will launch /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper which needs to talk to polkit.
Comment 4 Daniel Walsh 2013-12-19 20:45:36 UTC 
Could you attach the AVC data?

ausearch -m avc -ts recent

After it happens.
Comment 5 Aram Agajanian 2013-12-20 22:02:57 UTC 
Created attachment 839847 [details]
Output of command "ausearch -m user_avc -ts recent" after hotplugging a USB flash drive with remote-viewer connected to a virtual desktop and unconfined_mozilla_plugin_transition=on.
Comment 6 Daniel Walsh 2014-01-03 20:25:34 UTC 
7cde7460ef51d02f6649db2efd200e363cb242fc allows this in git.
Comment 7 Fedora Update System 2014-01-13 22:54:26 UTC 
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Comment 8 Fedora Update System 2014-01-15 05:56:04 UTC 
Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).
Comment 9 Aram Agajanian 2014-01-15 19:02:23 UTC 
This problem seems to have gone away with selinux-policy-targeted-3.12.1-116.fc20.noarch installed and mozilla_plugin_use_spice set to on.  (The default value for mozilla_plugin_use_spice is off.)
Comment 10 Fedora Update System 2014-01-16 07:08:37 UTC 
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.