Description of problem: When I bring up a RHEV 3.2 virtual desktop from the User Portal and then try to redirect a USB device, an SELinux error like the following pops up. USB redirection error: Could not auto-redirect USB Flash Memory [0930:6508] at 2-12: Error setting USB device node ACL: 'Error PoliciKit error: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.151" (uid=0 pid=6563 comm="/usr/libexec/spice-gtk-x86_64//spice-client-glib-u") interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" error name="(unset)" requested_reply="0" destination=":1.9" (uid=999 pid=921 comm="/usr/lib/polkit-1/polkitd --no-debug ")' Version-Release number of selected component (if applicable): usbredir-0.6-5.fc20.x86_64 How reproducible: Happens every time. Steps to Reproduce: 1. Log into RHEV 3.2 User Portal. 2. Attach to a virtual desktop. 3. Make sure that "Enable USB Auto-share" is enabled in the User Portal Console Options. 4. Hotplug a USB flash drive. Actual results: An error message pops up. Expected results: The USB flash drive should be redirected to the virtual desktop. Additional info: If I run the command "setenforce 0" as root, then the USB flash drive will be redirected properly.
This seems to be an selinux issue, re-assigning
Running the following command (provided by the SELinux Troubleshooter) seems to have stopped the error from happening when I hotplug the flash drive: setsebool -P unconfined_mozilla_plugin_transition 0
Ah, right, you're starting virt-viewer through the xpi browser plugin, hmm. Selinux people any ideas how to solve this, virt-viewer will launch /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper which needs to talk to polkit.
Could you attach the AVC data? ausearch -m avc -ts recent After it happens.
Created attachment 839847 [details] Output of command "ausearch -m user_avc -ts recent" after hotplugging a USB flash drive with remote-viewer connected to a virtual desktop and unconfined_mozilla_plugin_transition=on.
7cde7460ef51d02f6649db2efd200e363cb242fc allows this in git.
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
This problem seems to have gone away with selinux-policy-targeted-3.12.1-116.fc20.noarch installed and mozilla_plugin_use_spice set to on. (The default value for mozilla_plugin_use_spice is off.)
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.