Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1111451

Summary: virt_use_usb doesn't work.
Product: Red Hat Enterprise Linux 6 Reporter: zhenfeng wang <zhwang>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.6CC: bsarathy, chayang, dwalsh, dyuan, jdenemar, juli, juzhang, kraxel, michen, mkenneth, mmalik, mzhan, qzhang, rbalakri, shyu, virt-maint, ydu
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1111450 Environment:
Last Closed: 2015-02-25 12:44:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1111450    
Bug Blocks:    

Description zhenfeng wang 2014-06-20 05:05:20 UTC 
+++ This bug was initially created as a clone of Bug #1111450 +++

Description of problem:
Guest crash when hotplug usb while disable virt_use_usb

Version-Release number of selected component (if applicable):
qemu-kvm-rhev-1.5.3-60.el7ev_0.2.x86_64
kernel-3.10.0-123.el7.x86_64
libvirt-1.1.1-29.el7.x86_64
selinux-policy-3.12.1-153.el7.3.noarch
libselinux-2.2.2-6.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Disable virt_use_usb
# getenforce
Enforcing
#setsebool virt_use_usb 0
# getsebool virt_use_usb
virt_use_usb --> off

2.Start a normal guest
#virsh start rhel7

3.Plug a usb to your local host
# lsusb
Bus 002 Device 003: ID 0951:1666 Kingston Technology

4.Prepare a xml for the usb
# cat usb.xml
<hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <address bus='2' device='3'/>
      </source>
    </hostdev>

5.Hotplug the usb to the guest, the guest will be crashed
# virsh attach-device rhel7 usb.xml
error: Failed to attach device from usb.xml
error: Unable to read from monitor: Connection reset by peer
# virsh list
 Id    Name                           State
----------------------------------------------------

# ps aux|grep qemu

6.Check the qemu log and avc info
#cat /var/log/libvirt/qemu/rhel7.log
--
libusbx: error [initialize_device] open failed, ret=-1 errno=1
libusbx: error [initialize_device] open failed, ret=-1 errno=1
libusbx: error [initialize_device] open failed, ret=-1 errno=1
libusbx: error [initialize_device] open failed, ret=-1 errno=1
2014-06-19 08:42:22.370+0000: shutting down

# ausearch -m avc -ts recent
----
time->Thu Jun 19 16:42:16 2014
type=SYSCALL msg=audit(1403167336.965:196): arch=c000003e syscall=4 success=no exit=-13 a0=7fff00d78480 a1=7fff00d783f0 a2=7fff00d783f0 a3=6 items=0 ppid=1 pid=2589 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c0,c99 key=(null)
type=AVC msg=audit(1403167336.965:196): avc:  denied  { getattr } for  pid=2589 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:1a.0/usb1/devnum" dev="sysfs" ino=9519 scontext=system_u:system_r:svirt_t:s0:c0,c99 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
----
time->Thu Jun 19 16:42:16 2014
type=SYSCALL msg=audit(1403167336.965:197): arch=c000003e syscall=4 success=no exit=-13 a0=7fff00d78480 a1=7fff00d783f0 a2=7fff00d783f0 a3=b items=0 ppid=1 pid=2589 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c0,c99 key=(null)
type=AVC msg=audit(1403167336.965:197): avc:  denied  { getattr } for  pid=2589 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:1a.0/usb1/descriptors" dev="sysfs" ino=9549 scontext=system_u:system_r:svirt_t:s0:c0,c99 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
----
time->Thu Jun 19 16:42:16 2014
type=SYSCALL msg=audit(1403167336.965:198): arch=c000003e syscall=4 success=no exit=-13 a0=7fff00d78480 a1=7fff00d783f0 a2=7fff00d783f0 a3=13 items=0 ppid=1 pid=2589 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c0,c99 key=(null)
type=AVC msg=audit(1403167336.965:198): avc:  denied  { getattr } for  pid=2589 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:1a.0/usb1/bConfigurationValue" dev="sysfs" ino=9505 scontext=system_u:system_r:svirt_t:s0:c0,c99 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
----
time->Thu Jun 19 16:42:16 2014
type=SYSCALL msg=audit(1403167336.965:199): arch=c000003e syscall=4 success=no exit=-13 a0=7fff00d78480 a1=7fff00d783f0 a2=7fff00d783f0 a3=6 items=0 ppid=1 pid=2589 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c0,c99 key=(null)
type=AVC msg=audit(1403167336.965:199): avc:  denied  { getattr } for  pid=2589 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:1d.0/usb2/busnum" dev="sysfs" ino=9679 scontext=system_u:system_r:svirt_t:s0:c0,c99 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
----
time->Thu Jun 19 16:42:16 2014
type=SYSCALL msg=audit(1403167336.965:200): arch=c000003e syscall=4 success=no exit=-13 a0=7fff00d78480 a1=7fff00d783f0 a2=7fff00d783f0 a3=6 items=0 ppid=1 pid=2589 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c0,c99 key=(null)
type=AVC msg=audit(1403167336.965:200): avc:  denied  { getattr } for  pid=2589 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:1d.0/usb2/devnum" dev="sysfs" ino=9680 scontext=system_u:system_r:svirt_t:s0:c0,c99 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
----
time->Thu Jun 19 16:42:16 2014
type=SYSCALL msg=audit(1403167336.965:201): arch=c000003e syscall=4 success=no exit=-13 a0=7fff00d78480 a1=7fff00d783f0 a2=7fff00d783f0 a3=b items=0 ppid=1 pid=2589 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c0,c99 key=(null)
type=AVC msg=audit(1403167336.965:201): avc:  denied  { getattr } for  pid=2589 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:1d.0/usb2/descriptors" dev="sysfs" ino=9710 scontext=system_u:system_r:svirt_t:s0:c0,c99 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
----
time->Thu Jun 19 16:42:16 2014
type=SYSCALL msg=audit(1403167336.965:202): arch=c000003e syscall=4 success=no exit=-13 a0=7fff00d78480 a1=7fff00d783f0 a2=7fff00d783f0 a3=13 items=0 ppid=1 pid=2589 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c0,c99 key=(null)
type=AVC msg=audit(1403167336.965:202): avc:  denied  { getattr } for  pid=2589 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:1d.0/usb2/bConfigurationValue" dev="sysfs" ino=9666 scontext=system_u:system_r:svirt_t:s0:c0,c99 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
----
time->Thu Jun 19 16:42:16 2014
type=SYSCALL msg=audit(1403167336.965:195): arch=c000003e syscall=4 success=no exit=-13 a0=7fff00d78480 a1=7fff00d783f0 a2=7fff00d783f0 a3=6 items=0 ppid=1 pid=2589 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c0,c99 key=(null)
type=AVC msg=audit(1403167336.965:195): avc:  denied  { getattr } for  pid=2589 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:1a.0/usb1/busnum" dev="sysfs" ino=9518 scontext=system_u:system_r:svirt_t:s0:c0,c99 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

7.Passthough the usb to the guest,then start the guest, the guest can be started successfully, however, it will be destroyed automatically later
and got the same error with usb hotplug
#virsh dumpxml rhe7
--
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <address bus='2' device='3'/>
      </source>
# virsh start rhel7
Domain rhel7 started

[root@rhel7f ~]# virsh list  
 Id    Name                           State
----------------------------------------------------
 4     rhel7                          running

# virsh list  
 Id    Name                           State
----------------------------------------------------

#

8.Re-try the upper test scenario in the rhel6.6, got a different result which the the usb device can hotplug or passthough to the guest successfully even
if i disable the virt_use_usb, this should be issue too.


Actual results:
As steps

Expected results:
1.The guest shouldn't be crash while hotplug a usb device to the running guest while disable the virt_use_usb
2.The guest should fail to start while passthough a usb device to the shutoff guest while disable the virt_use_usb
3.Should fail to hotplug a usb device to the running guest while disable the virt_use_usb
Additional info:
Comment 1 zhenfeng wang 2014-06-20 05:09:27 UTC 
As step 8's description in commet0 , we knew that we got a different result with the rhel7, please pay attention about it.
Comment 3 Jiri Denemark 2014-06-20 07:13:10 UTC 
QEMU should not exit after a failed hotplug of a USB device. Only the hotplug operation should fail. Reassigning to qemu-kvm.
Comment 4 Gerd Hoffmann 2014-07-02 07:49:41 UTC 
> 8.Re-try the upper test scenario in the rhel6.6, got a different result
> which the the usb device can hotplug or passthough to the guest successfully
> even
> if i disable the virt_use_usb, this should be issue too.

So there is no crash on RHEL-6?

This is confising.  Can you *please* not clone the bug when the issue on rhel6 is something completely different?

usb passthough working even with virt_use_usb=off sounds like a selinux-policy issue, reassigning.
Comment 5 Miroslav Grepl 2014-07-02 11:33:12 UTC 
What does

# getsebool -a |grep virt_use
Comment 6 zhenfeng wang 2014-07-03 01:58:29 UTC 
The guest didn't crash on RHEL-6 and the current issue is that the usb can passthough or hotplug/unhotplug successfully even with virt_use_usb=off, the expect result should be fail.

# getsebool -a |grep virt_use
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_sysfs --> on
virt_use_usb --> on
virt_use_xserver --> off
Comment 7 Miroslav Grepl 2014-07-03 09:21:07 UTC 
Ok this is probably because of 

virt_use_sysfs --> on

try to turn this boolean off.
Comment 8 zhenfeng wang 2014-07-04 03:25:00 UTC 
Get the same result with the comment 6 even turn the virt_use_sysfs boolean off
# getsebool -a |grep virt_use
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_sysfs --> off
virt_use_usb --> off
virt_use_xserver --> off
Comment 9 Miroslav Grepl 2014-07-07 06:18:33 UTC 
Ok and what does

# sesearch -A -s svirt_t -t sysfs_t  -C
Comment 10 zhenfeng wang 2014-07-07 10:00:09 UTC 
# sesearch -A -s svirt_t -t sysfs_t  -C
Found 12 semantic av rules:
   allow svirt_t sysfs_t : dir { ioctl read getattr lock search open } ; 
   allow svirt_t sysfs_t : lnk_file { read getattr } ; 
   allow domain sysfs_t : file { ioctl read getattr lock open } ; 
   allow domain sysfs_t : dir { ioctl read getattr lock search open } ; 
   allow domain sysfs_t : lnk_file { read getattr } ; 
   allow virt_domain file_type : dir { getattr search open } ; 
ET allow svirt_t sysfs_t : file { ioctl read write getattr lock append open } ; [ virt_use_sysfs ]
ET allow svirt_t sysfs_t : file { ioctl read getattr lock open } ; [ virt_use_usb ]
ET allow svirt_t sysfs_t : dir { ioctl read getattr lock search open } ; [ virt_use_sysfs ]
ET allow svirt_t sysfs_t : dir { ioctl read getattr lock search open } ; [ virt_use_usb ]
ET allow svirt_t sysfs_t : lnk_file { read getattr } ; [ virt_use_sysfs ]
ET allow svirt_t sysfs_t : lnk_file { read getattr } ; [ virt_use_usb ]
Comment 11 Miroslav Grepl 2014-07-09 08:29:10 UTC 
Ok I see it. Basically we need to add

# glibc wants to access /sys/devices/system/cpu
dev_read_sysfs(domain)

and now we have a regression. But hard to fix it. We can remove it to see what happens.

Milos,
what do you think?
Comment 14 Miroslav Grepl 2015-02-25 12:44:57 UTC 
Unfortunately we won't able to fix it until we have 

dev_read_sysfs(domain)

But only "read" is allowed and "write" is allowed by the boolean.