Bug 1075173

Summary: set mozilla_plugin_use_spice selinux boolean to on upon spice-xpi installation
Product: Red Hat Enterprise Linux 7 Reporter: David Jaša <djasa>
Component: spice-xpiAssignee: Christophe Fergeau <cfergeau>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0CC: dblechte, desktop-qa-list, dominick.grift, mgrepl, mkrcmari, rbalakri, tpelka, vbenes, vehrlich
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-xpi-2.8-7.el7 Doc Type: Bug Fix
Doc Text:
Cause: When starting remote-viewer through spice-xpi, the selinux policy blocks execution of the suid helper used for USB redirection Consequence: An error would occur when trying to redirect an USB device in a remote-viewer session started through spice-xpi Fix: When the spice-xpi RPM is installed, the selinux policy is changed to allow USB redirection Result: It's possible to redirect USB devices
 Story Points: ---
Clone Of: 1049491 Environment:
Last Closed: 2015-03-05 07:59:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to set the needed selinux boolean on spice-xpi (un)install none

Description David Jaša 2014-03-11 16:09:17 UTC 
This bug affects RHEL 7 as well:
> type=AVC msg=audit(1394550285.321:15759): avc:  denied  { setattr } for  pid=10106 comm="spice-client-gl" name="027" dev="devtmpfs" ino=5876831 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1394550285.322:15760): avc:  denied  { write } for  pid=10077 comm="remote-viewer" name="027" dev="devtmpfs" ino=5876831 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> type=USER_AVC msg=audit(1394550601.710:15765): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?

# getsebool mozilla_plugin_use_spice
mozilla_plugin_use_spice --> off

When the bool is flipped to on, USB redirection starts working.



+++ This bug was initially created as a clone of Bug #1049491 +++

Description of problem:
Mozilla policy doesn't make much sense wrt spice. To quote the documentation:
'''
 If  you  want  to  allow mozilla plugin to support spice protocols, you
 must turn on the mozilla_plugin_use_spice boolean. Disabled by default.

       setsebool -P mozilla_plugin_use_spice 1
'''
The actual behaviour is that no matter what the boolean value is:
  * remote-viewer gets always launched
  * usb redirection fails with this pop-up but no AVC:
'''
USB redirection error: Could not redirect Generic Mass Storage: Error setting USB device node ACL: 'Error PoliciKit error: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.102" (uid=0 pid=5258 comm="/usr/libexec/spice-gtk-x86_64//spice-client-glib-u") interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" error name="(unset)" requested_reply="0" destination=":1.10" (uid=999 pid=821 comm="/usr/lib/polkit-1/polkitd --no-debug ")'
'''

Once you switch selinux to permissive mode, usb redirection starts working and you'll get a proper AVC - again no matter what mozilla_plugin_use_spice says:
> type=AVC msg=audit(1389109363.772:603): avc:  denied  { setattr } for  pid=5289 comm="spice-client-gl" name="004" dev="devtmpfs" ino=37964 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> type=SYSCALL msg=audit(1389109363.772:603): arch=x86_64 syscall=setxattr success=yes exit=0 a0=7f557a0d7080 a1=7f5578faee2f a2=7f557a128bc0 a3=2c items=0 ppid=4933 pid=5289 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=spice-client-gl exe=/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null


IMNSHO all of these doesn't make much sense. Once spice-xpi package is present, user _should_ be able to launch spice client (remote-viewer) from the browser and once user is able to launch the client, it should work fully. USB redirection should be controlled separately if desired.


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-106.fc20.noarch
virt-viewer-0.5.7-2.fc20.x86_64
spice-gtk-0.22-1.fc20.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

--- Additional comment from Daniel Walsh on 2014-01-07 21:16:43 CET ---

22f1a722564b015faa7333653fbba22482701f51 fixes this in git.

I agree this should be allowed.  It is a bug.

--- Additional comment from Fedora Update System on 2014-01-13 23:58:22 CET ---

selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20

--- Additional comment from Fedora Update System on 2014-01-15 06:59:56 CET ---

Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2014-01-16 08:13:08 CET ---

selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 1 Miroslav Grepl 2014-03-12 09:45:54 UTC 
We want to keep 

mozilla_plugin_use_spice

turn off by default. If needed then it should be turned on by spice pkg.
Comment 2 David Jaša 2014-03-12 09:51:18 UTC 
moving to correct component. spice-xpi package needs to set this bool upon installation, otherwise USB redirection won't work for customers without further configuration.
Comment 3 Christophe Fergeau 2014-03-18 16:14:43 UTC 
(In reply to David Jaša from comment #2)
> moving to correct component. spice-xpi package needs to set this bool upon
> installation, otherwise USB redirection won't work for customers without
> further configuration.

Do you know how/if this works in f20? The spice plugin selinux policy seems to be the same in both, and f20 spice-xpi is not doing anything special to the selinux policy on install.
Comment 4 Christophe Fergeau 2014-03-18 17:15:02 UTC 
Created attachment 876045 [details]
Patch to set the needed selinux boolean on spice-xpi (un)install
Comment 5 Christophe Fergeau 2014-03-18 17:24:12 UTC 
The Requires line is probably better as
-Requires:       policycoreutils
+Requires(post): /sbin/setsebool
Comment 6 Christophe Fergeau 2014-03-18 17:41:08 UTC 
(In reply to Christophe Fergeau from comment #3)
> Do you know how/if this works in f20?

I just tested this on f20, and after reenabling plugin-container (which I had disabled myself), I hit this issue too, this will need to be fixed there too.
Comment 7 David Blechter 2014-03-18 22:43:58 UTC 
Not a blocker for 7.0, need investigation and 7.1 is right place and time for it. 
Note, that spice-xpi is used for launching spice-client via rhevm. The new approach for launching spice-client is using vv files, that is already supported in rhevm 

moving to 7.1 as was approved by Ronald Pacheco
Comment 14 errata-xmlrpc 2015-03-05 07:59:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0355.html