Bug 638801

Summary: SELinux está negando a /usr/bin/qemu-kvm el acceso "read" on /dev/bus/usb/001/004
Product: [Fedora] Fedora Reporter: Juan Urroa <observer1>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: berrange, bugzilla_redhat, clalance, crobinso, dwalsh, itamar, jforbes, mgrepl, mma.priv, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d64227b1431185ca4dc453d038c77a12b2c516591ba4b9a8b07baa6e0be277c8
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-06 03:21:13 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
kernel messages
ioctl denial
read write denial none

Description Juan Urroa 2010-09-29 20:44:29 EDT
I got this trying to use usb from kvm I have qemu_use_usb and virt_use_usb enabled

SELinux está negando a /usr/bin/qemu-kvm el acceso "read" on

Descripción Detallada:

SELinux negó el acceso requerido por qemu-kvm. No se esperaba que este acceso
fuera requerido por qemu-kvm, y puede ser indicio de un intento de ataque.
También es posible que la versión específica o la configuración de la aplicación
esté provocando esta necesidad de acceso adicional

Permitiendo Acceso:

Puede generar un módulo de política local para permitir este acceso. Vea FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Por favor, informe
este error.

Información Adicional:

Contexto Fuente               system_u:system_r:svirt_t:s0:c505,c590
Contexto Destino              system_u:object_r:usb_device_t:s0
Objetos Destino               /dev/bus/usb/001/004 [ chr_file ]
Fuente                        qemu-kvm
Dirección de Fuente           /usr/bin/qemu-kvm
Puerto                        <Desconocido>
Nombre de Equipo              (eliminado)
Paquetes RPM Fuentes          qemu-system-x86-0.12.5-1.fc13
Paquetes RPM Destinos         
RPM de Políticas              selinux-policy-3.7.19-57.fc13
SELinux Activado              True
Tipo de Política              targeted
Modo Obediente                Enforcing
Nombre de Plugin              catchall
Nombre de Equipo              (eliminado)
Plataforma                    Linux (eliminado) #1 SMP Wed
                              Sep 15 03:36:55 UTC 2010 x86_64 x86_64
Cantidad de Alertas           3
Visto por Primera Vez         mar 28 sep 2010 22:21:11 CDT
Visto por Última Vez          mar 28 sep 2010 22:21:27 CDT
ID Local                      c22d2e7d-6f18-4072-a35c-0c609158d81f
Números de Línea              

Mensajes de Auditoría Crudos  

node=(eliminado) type=AVC msg=audit(1285730487.600:71324): avc:  denied  { read } for  pid=6631 comm="qemu-kvm" path="/dev/bus/usb/001/004" dev=devtmpfs ino=1018914 scontext=system_u:system_r:svirt_t:s0:c505,c590 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file

node=(eliminado) type=SYSCALL msg=audit(1285730487.600:71324): arch=c000003e syscall=16 success=no exit=-13 a0=15 a1=8038550a a2=1e57a00 a3=58 items=0 ppid=1 pid=6631 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c505,c590 key=(null)

Hash String generated from  catchall,qemu-kvm,svirt_t,usb_device_t,chr_file,read
audit2allow suggests:

#============= svirt_t ==============
allow svirt_t usb_device_t:chr_file read;
Comment 1 Daniel Walsh 2010-09-30 14:42:54 EDT
This would either be an issue with libvirt or udev.
Comment 2 Sandro Janke 2010-12-16 08:24:06 EST
There are two other related SELinux alerts about "ioctl" and "read write" access which both lead to bug #537227 which has been closed. I asked for it to be re-opened.
Comment 3 Daniel Walsh 2010-12-16 09:34:43 EST
All of the alerts come down to the same thing,  the device is mislabeled, so svirt_t can not read/write/ioctl/getattr .. the device.

So either libvirt did not set the label on the device, or udev changed the label on the device back to the default.
Comment 4 Sandro Janke 2010-12-16 14:04:49 EST
Created attachment 469198 [details]
kernel messages

After having attached the device and the usual auto mount kicking in the devices in /dev/bus/usb/002/ are of type usb_device_t.

When I attach the device to a guest and subsequently turn the vm on I see the label very briefly change to svirt_image_t, just for the whole device to disappear a second later and a new device appearing which receives type usb_device_t again.

This seems odd to me. It appears libvirt is disconnecting (ejecting?) the device.

See attachment for what /var/log/messages tells me during the full cycle (from plugging in the physical hardware to booting (all in permissive mode, btw).
Comment 5 Sandro Janke 2010-12-17 16:20:07 EST
Created attachment 469448 [details]
ioctl denial
Comment 6 Sandro Janke 2010-12-17 16:20:40 EST
Created attachment 469449 [details]
read write denial
Comment 7 Bug Zapper 2011-05-31 08:17:19 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: