This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1029297 - SELinux is preventing /usr/bin/qemu-system-x86_64 from 'getattr' accesses on the sock_file /run/pcscd/pcscd.comm.
SELinux is preventing /usr/bin/qemu-system-x86_64 from 'getattr' accesses on ...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:aab95cbb7ce26333b6997ec60ff...
: Reopened
: 1319692 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-12 00:57 EST by Michael Samuel
Modified: 2016-05-12 16:54 EDT (History)
16 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.15.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 16:54:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Samuel 2013-11-12 00:57:38 EST
Description of problem:
I tried attaching a smartcard to a virtual machine.
SELinux is preventing /usr/bin/qemu-system-x86_64 from 'getattr' accesses on the sock_file /run/pcscd/pcscd.comm.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qemu-system-x86_64 should be allowed getattr access on the pcscd.comm sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c671,c925
Target Context                system_u:object_r:pcscd_var_run_t:s0
Target Objects                /run/pcscd/pcscd.comm [ sock_file ]
Source                        qemu-system-x86
Source Path                   /usr/bin/qemu-system-x86_64
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           qemu-system-x86-1.4.2-12.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.6-200.fc19.x86_64 #1 SMP Fri
                              Oct 18 22:34:18 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-11-12 16:27:17 EST
Last Seen                     2013-11-12 16:27:17 EST
Local ID                      4202a0ad-20b4-4b00-9d7f-975242cc4748

Raw Audit Messages
type=AVC msg=audit(1384234037.848:74626): avc:  denied  { getattr } for  pid=7725 comm="qemu-system-x86" path="/run/pcscd/pcscd.comm" dev="tmpfs" ino=11997 scontext=system_u:system_r:svirt_t:s0:c671,c925 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1384234037.848:74626): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f8a3dcaae60 a1=7fff05c53570 a2=7fff05c53570 a3=7fff05c534b0 items=0 ppid=1 pid=7725 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=system_u:system_r:svirt_t:s0:c671,c925 key=(null)

Hash: qemu-system-x86,svirt_t,pcscd_var_run_t,sock_file,getattr

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.6-200.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-11-12 08:48:12 EST
If you run this in permissive mode, what avc's do you see? 

Did the smart card work in enforcing mode?
Comment 2 Lukas Vrabec 2016-03-21 09:13:28 EDT
*** Bug 1319692 has been marked as a duplicate of this bug. ***
Comment 3 Cole Robinson 2016-03-21 09:23:05 EDT
Dark Shenada, can you describe what you were doing when you hit this issue?
Is this via virt-manager or gnome boxes?
Comment 4 Cole Robinson 2016-04-11 18:52:19 EDT
Googling around, it looks like spice/libcacard can talk to pcscd for certain VM configurations. So I think selinux just needs to allow svirt_t to talk to pcscd. Moving back to selinux-policy
Comment 5 Cole Robinson 2016-04-19 13:30:24 EDT
(In reply to Cole Robinson from comment #4)
> Googling around, it looks like spice/libcacard can talk to pcscd for certain
> VM configurations. So I think selinux just needs to allow svirt_t to talk to
> pcscd. Moving back to selinux-policy

actually changing component
Comment 6 Fedora Update System 2016-04-27 18:26:26 EDT
selinux-policy-3.13.1-158.15.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-df52942a2f
Comment 7 Fedora Update System 2016-04-28 18:55:00 EDT
selinux-policy-3.13.1-158.15.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-df52942a2f
Comment 8 Fedora Update System 2016-05-12 16:54:14 EDT
selinux-policy-3.13.1-158.15.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.