Bug 2318409

Summary: SELinux prevents USB hotplug of Prolific PL2303 USB to serial adaptor to a CentOS 6 guest
Product: [Fedora] Fedora Reporter: Joachim Katzer <jokatzer>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 41CC: awilliam, cfergeau, dwalsh, feborges, gnome-sig, lvrabec, marcandre.lureau, mmalik, omosnacek, pkoncity, suraj.ghimire7, vmojzis, zpytela
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-12-16 17:16:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joachim Katzer 2024-10-13 14:12:04 UTC 
My system is a Geekom MiniPC IT11 with Fedora Silverblue 41 Beta and boxes and virt-manager installed as layered packages. 
A Prolific PL2303 USB to serial adaptor connect the PC to an old Garmin GPS device Foretrex 201 with a serial port.

Connecting a Prolific PL2303 USB to serial adaptor to CentOS6 does not work unless:
- Silverblue host user added to group dialout (not a bug)
- SELinux set to Permissive



Reproducible: Always

Steps to Reproduce:
1. Add user on host to group dialout
2. Setup VM in GNOME-Boxes.
2. Connect device with a serial port (e.g. Garmin GPS)
3. Redirect USB Device to VM (with SELinux enforced and then permissive), check /dev/ttyUSB0

3.3
Actual Results:  
If SELinux is enforced, redirection fails. GNOME-Boxes simply reports "Redirection .. failed").
If SELinux is permissive, redirection is successful.




Expected Results:  
Redirection should work also in Enforced mode.

Testing this issue requires a device with a serial port and a Prolific PL2303 USB to serial adaptor.

I am using an outdated Firefox 17 plugin to load data from the GPS device to the VM guest. That's the reason I cannot use a recent Linux distro.

For testing the issue it should be sufficient to check if /dev/ttyUSB0 shows up on the host at first, and then in VM after redirection.
Comment 1 Adam Williamson 2024-10-14 15:48:57 UTC 
As the issue is an SELinux denial and it works in permissive mode, moving to selinux-policy. Joachim, it would be great if you can get the details about the SELinux denial. If you run the "SELinux Troubleshooter" app it should be able to automatically submit a bug report with all the needed details, which we can close this as a dupe of. Otherwise, can you at least do:

sudo ausearch -m avc

and post the output? thanks!
Comment 2 Joachim Katzer 2024-10-14 16:58:13 UTC 
When I try to redirect the adaptor, no AVCs are logged.
I had to turn off dontaudit rules by the command "semodule -DB". Then the following AVCs are logged on redirecting /dev/ttyUSB0:

ime->Mon Oct 14 18:40:47 2024
type=AVC msg=audit(1728924047.690:1368): avc:  denied  { noatsecure } for  pid=5219 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1
----
time->Mon Oct 14 18:40:47 2024
type=AVC msg=audit(1728924047.690:1369): avc:  denied  { rlimitinh } for  pid=5219 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1
----
time->Mon Oct 14 18:40:47 2024
type=AVC msg=audit(1728924047.690:1370): avc:  denied  { siginh } for  pid=5219 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1

However, when dontaudit rules are active, then redirection fails even if SELinux is in "Permissive" mode.
The log entries are equal. After turning on the dontaudit rules by "semodule -B", redirection is working again in and only in "Permissive" mode.
Comment 3 Adam Williamson 2025-12-02 01:21:39 UTC 
This message is a reminder that Fedora Linux 41 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 41 on 2025-12-15.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '41'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 41 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.
Comment 4 Samyak Jain (RedHat) 2025-12-16 17:16:05 UTC 
Fedora Linux 41 entered end-of-life (EOL) status on 2025-12-15.

Fedora Linux 41 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.