Description of problem: Mozilla policy doesn't make much sense wrt spice. To quote the documentation: ''' If you want to allow mozilla plugin to support spice protocols, you must turn on the mozilla_plugin_use_spice boolean. Disabled by default. setsebool -P mozilla_plugin_use_spice 1 ''' The actual behaviour is that no matter what the boolean value is: * remote-viewer gets always launched * usb redirection fails with this pop-up but no AVC: ''' USB redirection error: Could not redirect Generic Mass Storage: Error setting USB device node ACL: 'Error PoliciKit error: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.102" (uid=0 pid=5258 comm="/usr/libexec/spice-gtk-x86_64//spice-client-glib-u") interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" error name="(unset)" requested_reply="0" destination=":1.10" (uid=999 pid=821 comm="/usr/lib/polkit-1/polkitd --no-debug ")' ''' Once you switch selinux to permissive mode, usb redirection starts working and you'll get a proper AVC - again no matter what mozilla_plugin_use_spice says: > type=AVC msg=audit(1389109363.772:603): avc: denied { setattr } for pid=5289 comm="spice-client-gl" name="004" dev="devtmpfs" ino=37964 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file > type=SYSCALL msg=audit(1389109363.772:603): arch=x86_64 syscall=setxattr success=yes exit=0 a0=7f557a0d7080 a1=7f5578faee2f a2=7f557a128bc0 a3=2c items=0 ppid=4933 pid=5289 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=spice-client-gl exe=/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null IMNSHO all of these doesn't make much sense. Once spice-xpi package is present, user _should_ be able to launch spice client (remote-viewer) from the browser and once user is able to launch the client, it should work fully. USB redirection should be controlled separately if desired. Version-Release number of selected component (if applicable): selinux-policy-3.12.1-106.fc20.noarch virt-viewer-0.5.7-2.fc20.x86_64 spice-gtk-0.22-1.fc20.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
22f1a722564b015faa7333653fbba22482701f51 fixes this in git. I agree this should be allowed. It is a bug.
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1104110 has been marked as a duplicate of this bug. ***