Bug 1276873 - SELinux is preventing qemu-system-x86 from 'read' accesses on the file c189:15.
SELinux is preventing qemu-system-x86 from 'read' accesses on the file c189:15.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:ffcdb9988f16f8a88ff74a11029...
:
: 1330809 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-31 15:22 EDT by Francesco Frassinelli (frafra)
Modified: 2016-09-29 18:52 EDT (History)
17 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.24.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-09-29 18:52:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Francesco Frassinelli (frafra) 2015-10-31 15:22:39 EDT
Description of problem:
Redirecting USB device using virt-manager.
SELinux is preventing qemu-system-x86 from 'read' accesses on the file c189:15.

*****  Plugin catchall (100. confidence) suggests   **************************

If si crede che qemu-system-x86 dovrebbe avere possibilità di accesso read sui c189:15 file in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per il momento eseguendo:
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c414,c1020
Target Context                system_u:object_r:udev_var_run_t:s0
Target Objects                c189:15 [ file ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-152.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.2.3-300.fc23.x86_64 #1 SMP Mon
                              Oct 5 15:42:54 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-10-31 20:21:13 CET
Last Seen                     2015-10-31 20:21:13 CET
Local ID                      1df3c6fc-8558-4581-96ab-0fbd4b92d0d6

Raw Audit Messages
type=AVC msg=audit(1446319273.657:886): avc:  denied  { read } for  pid=30447 comm="qemu-system-x86" name="c189:15" dev="tmpfs" ino=388874 scontext=system_u:system_r:svirt_t:s0:c414,c1020 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1


Hash: qemu-system-x86,svirt_t,udev_var_run_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.3-300.fc23.x86_64
type:           libreport
Comment 1 davestux 2015-12-21 16:58:30 EST
Description of problem:
After upgrading from Fedora 22 to 23, USB smartcard redirection is no longer working. It still possible to redirect the device manually from the virtual machine manager, but redirection saved in the machine configuration doesn't work.


Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.7-300.fc23.x86_64
type:           libreport
Comment 2 Giulio 'juliuxpigface' 2016-01-17 07:55:34 EST
Description of problem:
I encounter this issue when redirecting (and performing the boot) with an usb-key, redirected from the host to the qemu-kvm guest.

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.3-300.fc23.x86_64
type:           libreport
Comment 3 sheepdestroyer 2016-01-27 04:04:50 EST
Description of problem:
tried to boot a vm from a usb stick on the host

Version-Release number of selected component:
selinux-policy-3.13.1-158.2.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.3-303.fc23.x86_64
type:           libreport
Comment 4 Mike Goodwin 2016-02-13 13:50:56 EST
Description of problem:
Added host USB device in Virt-Manager 

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 5 Rubén Lledó 2016-03-01 18:48:31 EST
Description of problem:
First, I've got a Logitech C310 webcam, which works on a Linux host flawlessly. Next, I "plug" it into my Windows 10 virtual machine by adding a new USB host device, vía virt-manager GUI. When I start the virtual machine, with the command "sudo virsh start win10", this error pops up. Windows 10 doesn't detect my webcam, even with the official drivers installed.


Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.2-301.fc23.x86_64
type:           libreport
Comment 6 Paulo Fidalgo 2016-03-09 11:00:09 EST
Description of problem:
I added an hos usb device but selinux is denying access.

Version-Release number of selected component:
selinux-policy-3.13.1-158.9.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.3-300.fc23.x86_64
type:           libreport
Comment 7 Edouard Duliège 2016-03-23 10:06:44 EDT
Description of problem:
start a virtual machine (Win 7)
get this message. from SELinux

I guess accessing USB ports should be an issue

Version-Release number of selected component:
selinux-policy-3.13.1-158.9.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.5-300.fc23.x86_64
type:           libreport
Comment 8 lucacolferai 2016-04-22 05:53:59 EDT
Description of problem:
everytime the virtual machine is started,
even the policy has been executed many times...

Version-Release number of selected component:
selinux-policy-3.13.1-158.14.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.6-301.fc23.x86_64
type:           libreport
Comment 9 Lukas Vrabec 2016-04-27 08:03:22 EDT
*** Bug 1330809 has been marked as a duplicate of this bug. ***
Comment 10 Kapoios Kanenas 2016-05-08 04:21:37 EDT
Description of problem:
try to add a usb device with virt-manager 

Version-Release number of selected component:
selinux-policy-3.13.1-158.14.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.8-300.fc23.x86_64
type:           libreport
Comment 11 Joachim Frieben 2016-08-24 08:18:55 EDT
Description of problem:
I started a Fedora 24 virtual guest with activated VirGL 3D support after updating to selinux-policy-3.13.1-191.13.fc24 and fully relabelling the file system.

Version-Release number of selected component:
selinux-policy-3.13.1-191.13.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.7-300.fc24.x86_64
type:           libreport
Comment 12 Vasco Rodrigues 2016-09-03 09:50:29 EDT
Description of problem:
Assigning USB device to a VM

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.6-300.fc24.x86_64
type:           libreport
Comment 13 Rubén Lledó 2016-09-04 06:02:09 EDT
(In reply to Rubén Lledó from comment #5)
> Description of problem:
> First, I've got a Logitech C310 webcam, which works on a Linux host
> flawlessly. Next, I "plug" it into my Windows 10 virtual machine by adding a
> new USB host device, vía virt-manager GUI. When I start the virtual machine,
> with the command "sudo virsh start win10", this error pops up. Windows 10
> doesn't detect my webcam, even with the official drivers installed.
> 
> 
> Additional info:
> reporter:       libreport-2.6.4
> hashmarkername: setroubleshoot
> kernel:         4.4.2-301.fc23.x86_64
> type:           libreport

As long as I'm concerned, It's was solved after upgrading to Fedora 25
Comment 14 Rubén Lledó 2016-09-04 06:03:07 EDT
(In reply to Rubén Lledó from comment #13)
> (In reply to Rubén Lledó from comment #5)
> > Description of problem:
> > First, I've got a Logitech C310 webcam, which works on a Linux host
> > flawlessly. Next, I "plug" it into my Windows 10 virtual machine by adding a
> > new USB host device, vía virt-manager GUI. When I start the virtual machine,
> > with the command "sudo virsh start win10", this error pops up. Windows 10
> > doesn't detect my webcam, even with the official drivers installed.
> > 
> > 
> > Additional info:
> > reporter:       libreport-2.6.4
> > hashmarkername: setroubleshoot
> > kernel:         4.4.2-301.fc23.x86_64
> > type:           libreport
> 
> As long as I'm concerned, It's was solved after upgrading to Fedora 25

Fedora 24
Comment 15 javiertury 2016-09-12 02:53:58 EDT
(In reply to Rubén Lledó from comment #14)
> (In reply to Rubén Lledó from comment #13)
> > (In reply to Rubén Lledó from comment #5)
> > > Description of problem:
> > > First, I've got a Logitech C310 webcam, which works on a Linux host
> > > flawlessly. Next, I "plug" it into my Windows 10 virtual machine by adding a
> > > new USB host device, vía virt-manager GUI. When I start the virtual machine,
> > > with the command "sudo virsh start win10", this error pops up. Windows 10
> > > doesn't detect my webcam, even with the official drivers installed.
> > > 
> > > 
> > > Additional info:
> > > reporter:       libreport-2.6.4
> > > hashmarkername: setroubleshoot
> > > kernel:         4.4.2-301.fc23.x86_64
> > > type:           libreport
> > 
> > As long as I'm concerned, It's was solved after upgrading to Fedora 25
> 
> Fedora 24

Using Fedora 24 and the bug is still around. It's more similar to the following bug which was closed as a duplicate of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1330809

SELinux is preventing qemu-system-x86 from read access on the file +usb:2-1:1.0.

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c334,c860
Target Context                system_u:object_r:udev_var_run_t:s0
Target Objects                +usb:2-1:1.0 [ file ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.14.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.7.2-201.fc24.x86_64
                              #1 SMP Fri Aug 26 15:58:40 UTC 2016 x86_64 x86_64
Alert Count                   14
First Seen                    2016-09-11 08:45:29 CEST
Last Seen                     2016-09-11 08:45:29 CEST
Local ID                      d5b309c6-7dec-45e4-8acf-25d90d1b1de8

Raw Audit Messages
type=AVC msg=audit(1473576329.938:1227): avc:  denied  { read } for  pid=19292 comm="qemu-system-x86" name="+usb:2-1:1.0" dev="tmpfs" ino=17706 scontext=system_u:system_r:svirt_t:s0:c334,c860 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
Comment 16 Fedora Update System 2016-09-16 04:37:56 EDT
selinux-policy-3.13.1-158.24.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524
Comment 17 Fedora Update System 2016-09-16 20:53:26 EDT
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524
Comment 18 Fedora Update System 2016-09-29 18:52:57 EDT
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.