Description of problem: I'm using oVirt 3.4.0 and want to redirect USB devices from the Fedora 20 client (up-to-date) to my virtualized Fedora 20 guest (up-to-date). For USB redirection the spice-xpi (called Browser plugin in oVirt) or virt-viewer (called native client in oVirt) can be used. If using spice-xpi USB redirection is prevented by SELinux. Version-Release number of selected component (if applicable): spice-xpi-2.8.90-1.fc20.x86_64 firefox-29.0.1-1.fc20.x86_64 How reproducible: Every time I want to redirect an USB device to my vm Steps to Reproduce: 1.Create a virtual machine in oVirt 2. Set USB support to "Native" 3. Change console options to "Browser plugin" 4. Open console 5. Make sure SELinux is set to permissive or enforcing on Fedora 20 client 6. Plug in an USB device 7. Select File - USB device selection in Virtual Machine Viewer and select your USB device 8. Watch audit.log for denials Actual results: USB redirection is denied by SELinux policy Expected results: USB redirection should work Additional info: Here's the audit.log output: type=AVC msg=audit(1401789541.684:180198): avc: denied { setattr } for pid=28798 comm="spice-client-gl" name="009" dev="devtmpfs" ino=60585556 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1401789541.684:180198): arch=c000003e syscall=188 success=yes exit=0 a0=7f9a8f076080 a1=7f9a8df4de2f a2=7f9a907b3990 a3=2c items=0 ppid=28754 pid=28798 auid=11002 uid=11002 gid=11000 euid=0 suid=0 fsuid=0 egid=11000 sgid=11000 fsgid=11000 tty=(none) ses=1 comm="spice-client-gl" exe="/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1401789541.685:180199): avc: denied { write } for pid=28754 comm="remote-viewer" name="009" dev="devtmpfs" ino=60585556 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1401789541.685:180199): arch=c000003e syscall=2 success=yes exit=32 a0=7fff088dd160 a1=2 a2=7fff088dd174 a3=7fff088dcf10 items=0 ppid=28750 pid=28754 auid=11002 uid=11002 gid=11000 euid=11002 suid=11002 fsuid=11002 egid=11000 sgid=11000 fsgid=11000 tty=(none) ses=1 comm="remote-viewer" exe="/usr/bin/remote-viewer" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1401789541.843:180200): avc: denied { setattr } for pid=28798 comm="spice-client-gl" name="009" dev="devtmpfs" ino=60585556 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1401789541.843:180200): arch=c000003e syscall=188 success=yes exit=0 a0=7f9a8f076080 a1=7f9a8df4de2f a2=7f9a90797890 a3=24 items=0 ppid=28754 pid=28798 auid=11002 uid=11002 gid=11000 euid=0 suid=0 fsuid=0 egid=11000 sgid=11000 fsgid=11000 tty=(none) ses=1 comm="spice-client-gl" exe="/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
As discussed on oVirt users / Spice devel maillinglist the issue was fixed in: https://bugzilla.redhat.com/show_bug.cgi?id=1049491 If Fedora was installed with a selinux-policy package < 3.12.1-116 the mozilla_plugin_use_spice boolean has to be enabled manually: # setsebool -P mozilla_plugin_use_spice on With this solution the bug can be closed from my side. *** This bug has been marked as a duplicate of bug 1049491 ***