Bug 537227
Summary: | libvirt does not support vendor/product based USB device passthrough with QEMU | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bradley <bbaetz> | |
Component: | libvirt | Assignee: | Daniel Berrangé <berrange> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 12 | CC: | awilliam, berrange, clalance, cochranb, crobinso, cz172638, dwalsh, erik, f.berard, frankcasper, gpryzby, gui1ty, itamar, jforbes, lucien, markmc, mgrepl, veillard, virt-maint | |
Target Milestone: | --- | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | setroubleshoot_trace_hash:8fbd7b36950ed6b4ae57eff4ccb947c2544e2ec7085f5ca62bdcbd8e3d4f47f4 | |||
Fixed In Version: | libvirt-0.7.1-16.fc12 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 549841 (view as bug list) | Environment: | ||
Last Closed: | 2010-05-28 17:56:42 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 514891, 542450 |
Description
Bradley
2009-11-12 21:17:45 UTC
[root@plum ~]# getsebool -a | grep ^virt virt_manage_sysfs --> on virt_use_comm --> off virt_use_nfs --> off virt_use_samba --> off virt_use_usb --> on Trying USB passthrough for my iPhone - it doesn't work even if I turn selinux to permissive mode, but this presumably isn't helping... virt_use_comm doesn't help either looks like a libvirt bug since the device does not have the proper label on it. Its a usb device (my iPhone) that I've plugged in. Not sure why libvirt would be setting the label? Its: [bbaetz@plum ~]$ ls -lZ /dev/bus/usb/002/006 crw-rw-rw-+ root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/006 which looks right - what should it be? What is the XML for the libvirt guest you have assigned this device to ? There is a current limitation in libvirt that means it will only correctly label USB devices that are assigned based on bus+device address. It won't correctly handle vendor+product ID assignment. We need to hook into libusb to fix the latter properly by resolving the vendor/product against currently present devices. Yes, its vendor+product - I get a new device number every time I plug it in. XML is: <hostdev mode='subsystem' type='usb' managed='no'> <source> <vendor id='0x05ac'/> <product id='0x1294'/> </source> </hostdev> (manually created to the XML) Ok, for the time being you'll have to put SELinux in permissive mode. We are working on getting product/vendor based assignment correctly with SELinux in enforcing mode, but its not going to be a quick fix. I also have to manually change the acls, since the 'qemu' user didn't have access. But it doesn't work anyway, apparently because the iphone requires ehci support, which qemu doesn't yet have. See: if (dev->source.subsys.u.usb.bus && dev->source.subsys.u.usb.device) { usbDevice *usb = usbGetDevice(conn, dev->source.subsys.u.usb.bus, dev->source.subsys.u.usb.device); if (!usb) goto done; ret = usbDeviceFileIterate(conn, usb, SELinuxSetSecurityUSBLabel, vm); usbFreeDevice(conn, usb); } else { /* XXX deal with product/vendor better */ ret = 0; } in src/security/security_selinux.c adjusting summary to be more clear and searchable (I also have observed this problem and was about to file a dupe). For quick reference, if you're hitting this problem, do: setenforce Permissive as root, and then restart libvirtd. Then passthrough should work. This isn't actually a SELinux issue. It is libvirt not being able to resolve the vendor+product IDs into a bus+device address. This impacts several areas of libvirt, including the inability to relabel the device for SELinux http://www.redhat.com/archives/libvir-list/2010-January/msg00341.html Still, it manifests as an SELinux issue and people are likely to search for it that way (that's what I did), which is why I wanted to add that word to the summary. Patch was included upstream in the 0.7.6 release http://libvirt.org/git/?p=libvirt.git;a=commit;h=5073aa994af460e775cb3e548528e28d7660fcc8 thanks. 'POST' status isn't used in Fedora (see https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow ) - up until the fix actually lands in a Fedora package for the appropriate release it's still ASSIGNED. For a stable release, it goes to MODIFIED once you have it in updates-testing, and CLOSED once it's in updates. Setting back to ASSIGNED for now. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Please don't change the status. To quote the very link you gave "POST: This state is primarily used by developers working on virtualization and the kernel. " oops, sorry, early morning. (I don't remember putting that in there!) -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers *** Bug 550951 has been marked as a duplicate of this bug. *** *** Bug 574136 has been marked as a duplicate of this bug. *** *** Bug 504444 has been marked as a duplicate of this bug. *** libvirt-0.7.1-16.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/libvirt-0.7.1-16.fc12 libvirt-0.7.1-16.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update libvirt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/libvirt-0.7.1-16.fc12 *** Bug 542450 has been marked as a duplicate of this bug. *** libvirt-0.7.1-16.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. just noticed selinux message - 'SELinux is preventing /usr/bin/qemu-kvm "read write" access on /dev/bus/usb/006/002.' on fedora 13. This is still an issue in Fedora 14. Is this ever gonna get fixed? The only reason for me to run Linux is to do virtualization, but I can't do that without a fix to this. This bug is already fixed. If you have further issues, please file new BZs, rather than commenting on existing resolved bugs. What about re-opening this bug? I get SELinux denials when trying to attach USB devices to VMs. Reporting the alert as a bug leads me to closed duplicate bugs #579744, #580333. Following the chain, I end up here. In addition there is bug #638801 which is related, but not yet closed. Since others might end up here as well, I'd rather see this bug reopened and updated. Re-opening old bugs is very bad because even if the end result looks similar, you can't assume the root cause bug is the same. Always file a new bug, or find one that's still unresolved that shows the same symptoms. |