Bug 2318409

Summary:	SELinux prevents USB hotplug of Prolific PL2303 USB to serial adaptor to a CentOS 6 guest
Product:	[Fedora] Fedora	Reporter:	Joachim Katzer <jokatzer>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	NEW ---	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	41	CC:	awilliam, cfergeau, dwalsh, feborges, gnome-sig, lvrabec, marcandre.lureau, mmalik, omosnacek, pkoncity, suraj.ghimire7, vmojzis, zpytela
Target Milestone:	---	Keywords:	SELinux
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Joachim Katzer 2024-10-13 14:12:04 UTC

My system is a Geekom MiniPC IT11 with Fedora Silverblue 41 Beta and boxes and virt-manager installed as layered packages. 
A Prolific PL2303 USB to serial adaptor connect the PC to an old Garmin GPS device Foretrex 201 with a serial port.

Connecting a Prolific PL2303 USB to serial adaptor to CentOS6 does not work unless:
- Silverblue host user added to group dialout (not a bug)
- SELinux set to Permissive



Reproducible: Always

Steps to Reproduce:
1. Add user on host to group dialout
2. Setup VM in GNOME-Boxes.
2. Connect device with a serial port (e.g. Garmin GPS)
3. Redirect USB Device to VM (with SELinux enforced and then permissive), check /dev/ttyUSB0

3.3
Actual Results:  
If SELinux is enforced, redirection fails. GNOME-Boxes simply reports "Redirection .. failed").
If SELinux is permissive, redirection is successful.




Expected Results:  
Redirection should work also in Enforced mode.

Testing this issue requires a device with a serial port and a Prolific PL2303 USB to serial adaptor.

I am using an outdated Firefox 17 plugin to load data from the GPS device to the VM guest. That's the reason I cannot use a recent Linux distro.

For testing the issue it should be sufficient to check if /dev/ttyUSB0 shows up on the host at first, and then in VM after redirection.

Comment 1 Adam Williamson 2024-10-14 15:48:57 UTC

As the issue is an SELinux denial and it works in permissive mode, moving to selinux-policy. Joachim, it would be great if you can get the details about the SELinux denial. If you run the "SELinux Troubleshooter" app it should be able to automatically submit a bug report with all the needed details, which we can close this as a dupe of. Otherwise, can you at least do:

sudo ausearch -m avc

and post the output? thanks!

Comment 2 Joachim Katzer 2024-10-14 16:58:13 UTC

When I try to redirect the adaptor, no AVCs are logged.
I had to turn off dontaudit rules by the command "semodule -DB". Then the following AVCs are logged on redirecting /dev/ttyUSB0:

ime->Mon Oct 14 18:40:47 2024
type=AVC msg=audit(1728924047.690:1368): avc:  denied  { noatsecure } for  pid=5219 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1
----
time->Mon Oct 14 18:40:47 2024
type=AVC msg=audit(1728924047.690:1369): avc:  denied  { rlimitinh } for  pid=5219 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1
----
time->Mon Oct 14 18:40:47 2024
type=AVC msg=audit(1728924047.690:1370): avc:  denied  { siginh } for  pid=5219 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1

However, when dontaudit rules are active, then redirection fails even if SELinux is in "Permissive" mode.
The log entries are equal. After turning on the dontaudit rules by "semodule -B", redirection is working again in and only in "Permissive" mode.