| Summary: | SELinux is preventing /usr/sbin/pcscd from read, write access on the chr_file 006. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Vincent passaro <vincent.passaro> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 15 | CC: | amit.shah, berrange, dominick.grift, dwalsh, dwmw2, ehabkost, gcosta, itamar, jaswinder, jforbes, kalevlember, knoel, mgrepl, ntroncos, ondrejj, rrelyea, scottt.tw, virt-maint | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | setroubleshoot_trace_hash:ed0243d5678ae7baac0eaf259d8b4f1261d3b4068fe025ed1689036cb2d1abdb | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-11-07 21:12:52 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
"svirt_image_t:s0:c312,c866" is label for virtualized guest image. What are you exactly doing? This occurs when presenting a smart card reader to a virtual guest through Virtual Machine Manager. Did you notice any loss of functionality? Yes, I have been having a lot of issues with the pcsc daemon and libvirt. This messaged blocked the card reader from being presented to the virtual guest, but I'm also seeing that the pcscd will die and not restart when being presented. Any chance that you can test this functionality in a permissive mode so that we can determine whether this is all it wants or whether it needs more after this. It also allows us to determine whether this functionality works at all. Did libvirt label the pcscd device as svirt_image_t? Please provide the libvirt guest XML (virsh dumpxml $GUESTNAME) showing the smartcard configuration, and the /var/log/libvirt/qemu/$GUEST.log file Created attachment 502051 [details]
Windows 7 Gues /var/log/libvirt/qemu/Win7.log
Per your request.
Yes, I can test in permissive mode. Vincent, Skip that "testing in permissive mode" for now. Seems to be either a misconfiguration or bug in libvirt. Dominick, Ok, I'll hold off. Please let me know what I can do to test / help. Vincent, Please enclose the output of: virsh dumpxml $GUESTNAME Where $GUESTNAME is the name of your guest Dominick, Per your request. Also, just on a side note the CPU model in the XML is labeled as Westmere, but in the guest it comes up as core2duo. I doubt that has any effect on this issue, but just wanted to throw that in there. I created another bug for the issue...Bug 708927 <domain type='kvm'> <name>Win7</name> <uuid>29f8dddd-262b-04c2-c0f8-3f10adfc2049</uuid> <memory>2048000</memory> <currentMemory>2048000</currentMemory> <vcpu>1</vcpu> <os> <type arch='x86_64' machine='pc-0.14'>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <cpu match='exact'> <model>Westmere</model> <vendor>Intel</vendor> <feature policy='require' name='tm2'/> <feature policy='require' name='est'/> <feature policy='require' name='monitor'/> <feature policy='require' name='ss'/> <feature policy='require' name='vme'/> <feature policy='require' name='rdtscp'/> <feature policy='require' name='ht'/> <feature policy='require' name='ds'/> <feature policy='require' name='pbe'/> <feature policy='require' name='tm'/> <feature policy='require' name='vmx'/> <feature policy='require' name='ds_cpl'/> <feature policy='require' name='xtpr'/> <feature policy='require' name='acpi'/> </cpu> <clock offset='localtime'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <emulator>/usr/bin/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw'/> <source file='/var/lib/libvirt/images/Win7.img'/> <target dev='hda' bus='ide'/> <address type='drive' controller='0' bus='0' unit='0'/> </disk> <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <source file='/home/tummy/Downloads/en_office_ultimate_2007_united_states_x86_dvd_480625.iso'/> <target dev='hdc' bus='ide'/> <readonly/> <address type='drive' controller='0' bus='1' unit='0'/> </disk> <disk type='file' device='disk'> <driver name='qemu' type='vmdk'/> <source file='/var/lib/libvirt/images/Win7-1.img'/> <target dev='hdb' bus='ide'/> <address type='drive' controller='0' bus='0' unit='1'/> </disk> <controller type='ide' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> </controller> <controller type='virtio-serial' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </controller> <interface type='network'> <mac address='52:54:00:b0:3a:fc'/> <source network='default'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <serial type='pty'> <target port='0'/> </serial> <console type='pty'> <target type='serial' port='0'/> </console> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <input type='mouse' bus='ps2'/> <graphics type='spice' autoport='yes'/> <sound model='ich6'> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </sound> <video> <model type='qxl' heads='1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> <memballoon model='virtio'> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </memballoon> </devices> </domain> That XML does not show any smartcard present, nor do the command line args for QEMU show any smartcard present. Sorry about that. I pulled the device out while trying to troubleshoot it.
Here it is attached to the VM.
]# virsh dumpxml Win7
<domain type='kvm' id='1'>
<name>Win7</name>
<uuid>29f8dddd-262b-04c2-c0f8-3f10adfc2049</uuid>
<memory>2048000</memory>
<currentMemory>2048000</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64' machine='pc-0.14'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<cpu match='exact'>
<model>Westmere</model>
<vendor>Intel</vendor>
<feature policy='require' name='tm2'/>
<feature policy='require' name='est'/>
<feature policy='require' name='monitor'/>
<feature policy='require' name='ss'/>
<feature policy='require' name='vme'/>
<feature policy='require' name='rdtscp'/>
<feature policy='require' name='ht'/>
<feature policy='require' name='ds'/>
<feature policy='require' name='pbe'/>
<feature policy='require' name='tm'/>
<feature policy='require' name='vmx'/>
<feature policy='require' name='ds_cpl'/>
<feature policy='require' name='xtpr'/>
<feature policy='require' name='acpi'/>
</cpu>
<clock offset='localtime'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/qemu-kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/Win7.img'/>
<target dev='hda' bus='ide'/>
<alias name='ide0-0-0'/>
<address type='drive' controller='0' bus='0' unit='0'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/home/tummy/Downloads/en_office_ultimate_2007_united_states_x86_dvd_480625.iso'/>
<target dev='hdc' bus='ide'/>
<readonly/>
<alias name='ide0-1-0'/>
<address type='drive' controller='0' bus='1' unit='0'/>
</disk>
<disk type='file' device='disk'>
<driver name='qemu' type='vmdk'/>
<source file='/var/lib/libvirt/images/Win7-1.img'/>
<target dev='hdb' bus='ide'/>
<alias name='ide0-0-1'/>
<address type='drive' controller='0' bus='0' unit='1'/>
</disk>
<controller type='ide' index='0'>
<alias name='ide0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='virtio-serial' index='0'>
<alias name='virtio-serial0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</controller>
<interface type='network'>
<mac address='52:54:00:b0:3a:fc'/>
<source network='default'/>
<target dev='vnet0'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/1'/>
<target port='0'/>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/1'>
<source path='/dev/pts/1'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<alias name='channel0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<input type='mouse' bus='ps2'/>
<graphics type='spice' port='5900' tlsPort='-1' autoport='yes'/>
<sound model='ich6'>
<alias name='sound0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</sound>
<video>
<model type='qxl' heads='1'/>
<alias name='video0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<vendor id='0x04e6'/>
<product id='0x5119'/>
<address bus='2' device='4'/>
</source>
<alias name='hostdev0'/>
</hostdev>
<memballoon model='virtio'>
<alias name='balloon0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</memballoon>
</devices>
<seclabel type='dynamic' model='selinux'>
<label>system_u:system_r:svirt_t:s0:c522,c776</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c522,c776</imagelabel>
</seclabel>
</domain>
I still don't see any smartcard device in the XML, eg the XML should have something like
<controller type='ccid' index='0'/>
<smartcard mode='host'>
<address type='ccid' controller='0' slot='0'/>
</smartcard>
I'm having a similar issue. The same SEAlert pops when my laptop resumes from a suspend. (the only difference is that its trying to access char 009 ) And additional quirk is that /usr/sbin/pcscd is tagged as deleted. /usr/sbin/pcscd(deleted) (In reply to comment #17) > I'm having a similar issue. > > The same SEAlert pops when my laptop resumes from a suspend. (the only > difference is that its trying to access char 009 ) > > And additional quirk is that /usr/sbin/pcscd is tagged as deleted. > /usr/sbin/pcscd(deleted) Do you have "smartcard" directive in your XML? (In reply to comment #18) > (In reply to comment #17) > > I'm having a similar issue. > > > > The same SEAlert pops when my laptop resumes from a suspend. (the only > > difference is that its trying to access char 009 ) > > > > And additional quirk is that /usr/sbin/pcscd is tagged as deleted. > > /usr/sbin/pcscd(deleted) > > Do you have "smartcard" directive in your XML? I don't have any directive. I'm running my system as a native installation. Does it still happen? I have not seen it happen for a while now. But I have not been stressing the suspend-resume cycle. I will do so, tonight and get back to you. I have not been able to reproduce the problem. I seems that it has gone away/fixed in some patch release. |
SELinux is preventing /usr/sbin/pcscd from read, write access on the chr_file 006. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that pcscd should be allowed read write access on the 006 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pcscd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pcscd_t:s0 Target Context system_u:object_r:svirt_image_t:s0:c312,c866 Target Objects 006 [ chr_file ] Source pcscd Source Path /usr/sbin/pcscd Port <Unknown> Host (removed) Source RPM Packages pcsc-lite-1.7.2-2.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-24.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Mon 30 May 2011 08:57:05 PM PDT Last Seen Mon 30 May 2011 08:57:05 PM PDT Local ID c46327ec-e60d-4c6a-a556-bf2c55cb90ad Raw Audit Messages type=AVC msg=audit(1306814225.90:202): avc: denied { read write } for pid=17399 comm="pcscd" name="006" dev=devtmpfs ino=104967 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c312,c866 tclass=chr_file type=SYSCALL msg=audit(1306814225.90:202): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff04b65540 a1=2 a2=7fff04b65554 a3=7fff04b66350 items=0 ppid=17398 pid=17399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pcscd exe=/usr/sbin/pcscd subj=system_u:system_r:pcscd_t:s0 key=(null) Hash: pcscd,pcscd_t,svirt_image_t,chr_file,read,write audit2allow #============= pcscd_t ============== #!!!! This avc is allowed in the current policy allow pcscd_t svirt_image_t:chr_file { read write }; audit2allow -R #============= pcscd_t ============== #!!!! This avc is allowed in the current policy allow pcscd_t svirt_image_t:chr_file { read write };