RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1075173 - set mozilla_plugin_use_spice selinux boolean to on upon spice-xpi installation
Summary: set mozilla_plugin_use_spice selinux boolean to on upon spice-xpi installation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: spice-xpi
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Christophe Fergeau
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-11 16:09 UTC by David Jaša
Modified: 2015-03-05 07:59 UTC (History)
9 users (show)

Fixed In Version: spice-xpi-2.8-7.el7
Doc Type: Bug Fix
Doc Text:
Cause: When starting remote-viewer through spice-xpi, the selinux policy blocks execution of the suid helper used for USB redirection Consequence: An error would occur when trying to redirect an USB device in a remote-viewer session started through spice-xpi Fix: When the spice-xpi RPM is installed, the selinux policy is changed to allow USB redirection Result: It's possible to redirect USB devices
Clone Of: 1049491
Environment:
Last Closed: 2015-03-05 07:59:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch to set the needed selinux boolean on spice-xpi (un)install (1.74 KB, patch)
2014-03-18 17:15 UTC, Christophe Fergeau 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0355 0 normal SHIPPED_LIVE spice-xpi bug fix and enhancement update 2015-03-05 12:26:46 UTC

Description David Jaša 2014-03-11 16:09:17 UTC 
This bug affects RHEL 7 as well:
> type=AVC msg=audit(1394550285.321:15759): avc:  denied  { setattr } for  pid=10106 comm="spice-client-gl" name="027" dev="devtmpfs" ino=5876831 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1394550285.322:15760): avc:  denied  { write } for  pid=10077 comm="remote-viewer" name="027" dev="devtmpfs" ino=5876831 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> type=USER_AVC msg=audit(1394550601.710:15765): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?

# getsebool mozilla_plugin_use_spice
mozilla_plugin_use_spice --> off

When the bool is flipped to on, USB redirection starts working.



+++ This bug was initially created as a clone of Bug #1049491 +++

Description of problem:
Mozilla policy doesn't make much sense wrt spice. To quote the documentation:
'''
 If  you  want  to  allow mozilla plugin to support spice protocols, you
 must turn on the mozilla_plugin_use_spice boolean. Disabled by default.

       setsebool -P mozilla_plugin_use_spice 1
'''
The actual behaviour is that no matter what the boolean value is:
  * remote-viewer gets always launched
  * usb redirection fails with this pop-up but no AVC:
'''
USB redirection error: Could not redirect Generic Mass Storage: Error setting USB device node ACL: 'Error PoliciKit error: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.102" (uid=0 pid=5258 comm="/usr/libexec/spice-gtk-x86_64//spice-client-glib-u") interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" error name="(unset)" requested_reply="0" destination=":1.10" (uid=999 pid=821 comm="/usr/lib/polkit-1/polkitd --no-debug ")'
'''

Once you switch selinux to permissive mode, usb redirection starts working and you'll get a proper AVC - again no matter what mozilla_plugin_use_spice says:
> type=AVC msg=audit(1389109363.772:603): avc:  denied  { setattr } for  pid=5289 comm="spice-client-gl" name="004" dev="devtmpfs" ino=37964 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> type=SYSCALL msg=audit(1389109363.772:603): arch=x86_64 syscall=setxattr success=yes exit=0 a0=7f557a0d7080 a1=7f5578faee2f a2=7f557a128bc0 a3=2c items=0 ppid=4933 pid=5289 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=spice-client-gl exe=/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null


IMNSHO all of these doesn't make much sense. Once spice-xpi package is present, user _should_ be able to launch spice client (remote-viewer) from the browser and once user is able to launch the client, it should work fully. USB redirection should be controlled separately if desired.


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-106.fc20.noarch
virt-viewer-0.5.7-2.fc20.x86_64
spice-gtk-0.22-1.fc20.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

--- Additional comment from Daniel Walsh on 2014-01-07 21:16:43 CET ---

22f1a722564b015faa7333653fbba22482701f51 fixes this in git.

I agree this should be allowed.  It is a bug.

--- Additional comment from Fedora Update System on 2014-01-13 23:58:22 CET ---

selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20

--- Additional comment from Fedora Update System on 2014-01-15 06:59:56 CET ---

Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2014-01-16 08:13:08 CET ---

selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 1 Miroslav Grepl 2014-03-12 09:45:54 UTC 
We want to keep 

mozilla_plugin_use_spice

turn off by default. If needed then it should be turned on by spice pkg.
Comment 2 David Jaša 2014-03-12 09:51:18 UTC 
moving to correct component. spice-xpi package needs to set this bool upon installation, otherwise USB redirection won't work for customers without further configuration.
Comment 3 Christophe Fergeau 2014-03-18 16:14:43 UTC 
(In reply to David Jaša from comment #2)
> moving to correct component. spice-xpi package needs to set this bool upon
> installation, otherwise USB redirection won't work for customers without
> further configuration.

Do you know how/if this works in f20? The spice plugin selinux policy seems to be the same in both, and f20 spice-xpi is not doing anything special to the selinux policy on install.
Comment 4 Christophe Fergeau 2014-03-18 17:15:02 UTC 
Created attachment 876045 [details]
Patch to set the needed selinux boolean on spice-xpi (un)install
Comment 5 Christophe Fergeau 2014-03-18 17:24:12 UTC 
The Requires line is probably better as
-Requires:       policycoreutils
+Requires(post): /sbin/setsebool
Comment 6 Christophe Fergeau 2014-03-18 17:41:08 UTC 
(In reply to Christophe Fergeau from comment #3)
> Do you know how/if this works in f20?

I just tested this on f20, and after reenabling plugin-container (which I had disabled myself), I hit this issue too, this will need to be fixed there too.
Comment 7 David Blechter 2014-03-18 22:43:58 UTC 
Not a blocker for 7.0, need investigation and 7.1 is right place and time for it. 
Note, that spice-xpi is used for launching spice-client via rhevm. The new approach for launching spice-client is using vv files, that is already supported in rhevm 

moving to 7.1 as was approved by Ronald Pacheco
Comment 14 errata-xmlrpc 2015-03-05 07:59:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0355.html
Note You need to log in before you can comment on or make changes to this bug.