1326895 – SELinux prevents virt-manager from passing through USB device on host to the guest

Bug 1326895 - SELinux prevents virt-manager from passing through USB device on host to the guest

Summary: SELinux prevents virt-manager from passing through USB device on host to the ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1323501
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-13 17:07 UTC by Chris Murphy
Modified:	2016-04-14 12:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-14 12:49:55 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
journal from USB insertion until VM shutdown (65.64 KB, text/plain) 2016-04-13 17:07 UTC, Chris Murphy	no flags	Details
View All

Description Chris Murphy 2016-04-13 17:07:33 UTC

Created attachment 1146917 [details]
journal from USB insertion until VM shutdown

Description of problem:

When a USB stick is added to a VM in virt-manager, and the VM is launched, I get a bunch of selinux denials, and the USB stick isn't visible in the VM.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-158.12.fc23.noarch

How reproducible:
Always


Steps to Reproduce:
1. Insert wiped USB stick
2. Launch virt-manager and authenticate
3. virt-manager click on VM > Open > Details
4. Add hardware
5. select USB Host Device, then choose the USB stick, this is the only USB device selected for use in the VM
6. start VM

Actual results:

USB stick doesn't appear in VM. Journal contains multiple AVC denials, over 30 setroubleshoot messages, looks like one for each USB hub and device.


Additional info:

[root@f23m ~]# lsusb
Bus 002 Device 003: ID 05ac:8242 Apple, Inc. Built-in IR Receiver
Bus 002 Device 002: ID 0424:2513 Standard Microsystems Corp. 2.0 Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 003: ID 05ac:8509 Apple, Inc. FaceTime HD Camera
Bus 001 Device 015: ID 0951:1654 Kingston Technology 
Bus 001 Device 005: ID 05ac:0252 Apple, Inc. Internal Keyboard/Trackpad (ANSI)
Bus 001 Device 008: ID 05ac:821a Apple, Inc. Bluetooth Host Controller
Bus 001 Device 004: ID 0a5c:4500 Broadcom Corp. BCM2046B1 USB 2.0 Hub (part of BCM2046 Bluetooth)
Bus 001 Device 002: ID 0424:2513 Standard Microsystems Corp. 2.0 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub


[root@f23m ~]# sealert -l bc02bbe3-fa04-4449-bcb1-09b91a9a951d
SELinux is preventing qemu-system-x86 from read access on the file +usb:2-1:1.0.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed read access on the +usb:2-1:1.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c qemu-system-x86 --raw | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c189,c982
Target Context                system_u:object_r:udev_var_run_t:s0
Target Objects                +usb:2-1:1.0 [ file ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          f23m.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.12.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     f23m.localdomain
Platform                      Linux f23m.localdomain 4.5.0-300.fc24.x86_64 #1
                              SMP Mon Mar 14 17:03:27 UTC 2016 x86_64 x86_64
Alert Count                   31
First Seen                    2016-04-13 10:58:07 MDT
Last Seen                     2016-04-13 10:58:07 MDT
Local ID                      bc02bbe3-fa04-4449-bcb1-09b91a9a951d

Raw Audit Messages
type=AVC msg=audit(1460566687.834:3977): avc:  denied  { read } for  pid=26451 comm="qemu-system-x86" name="+usb:2-1:1.0" dev="tmpfs" ino=13266 scontext=system_u:system_r:svirt_t:s0:c189,c982 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0


Hash: qemu-system-x86,svirt_t,udev_var_run_t,file,read

Comment 1 Chris Murphy 2016-04-13 17:16:51 UTC

So I did this:

# ausearch -c qemu-system-x86 --raw | audit2allow -M virtusb
# semodule -i virtusb.pp

journal reports this:
[197210.666512] f23m.localdomain kernel: SELinux: 32768 avtab hash slots, 103680 rules.
[197210.694428] f23m.localdomain kernel: SELinux: 32768 avtab hash slots, 103680 rules.
[197210.730485] f23m.localdomain kernel: SELinux:  8 users, 14 roles, 4930 types, 305 bools, 1 sens, 1024 cats
[197210.730491] f23m.localdomain kernel: SELinux:  92 classes, 103680 rules
[197210.734188] f23m.localdomain kernel: SELinux:  Permission validate_trans in class security not defined in policy.
[197210.734295] f23m.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
[197187.840702] f23m.localdomain dbus[1349]: avc:  received policyload notice (seqno=2)
[197187.841164] f23m.localdomain dbus[1214]: avc:  received policyload notice (seqno=2)
[197187.841805] f23m.localdomain dbus[21308]: avc:  received policyload notice (seqno=2)
[197187.842169] f23m.localdomain audit: MAC_POLICY_LOAD policy loaded auid=1000 ses=10
[197187.842680] f23m.localdomain dbus[21776]: avc:  received policyload notice (seqno=2)
[197187.846865] f23m.localdomain dbus[21867]: avc:  received policyload notice (seqno=2)
[197187.847120] f23m.localdomain dbus[21396]: avc:  received policyload notice (seqno=2)
[197187.847560] f23m.localdomain dbus[826]: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=2)
                                            exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?
[197187.847863] f23m.localdomain org.a11y.Bus[1214]: Reloaded configuration
[197187.848061] f23m.localdomain org.a11y.Bus[21308]: Reloaded configuration
[197187.848248] f23m.localdomain org.a11y.Bus[21776]: Reloaded configuration
[197187.848723] f23m.localdomain /usr/libexec/gdm-x-session[21716]: Reloaded configuration
[197187.848924] f23m.localdomain /usr/libexec/gdm-wayland-session[1184]: Reloaded configuration
[197187.849281] f23m.localdomain /usr/libexec/gdm-wayland-session[21302]: Reloaded configuration
[197187.857243] f23m.localdomain dbus[826]: [system] Reloaded configuration


And yet I still get AVC denials when I launch the VM, and the USB device is still not visible in the guest VM.


# sealert -l cceda960-03b3-4a1e-8b7f-a484475e0357
SELinux is preventing qemu-system-x86 from open access on the file /run/udev/data/+usb:2-1:1.0.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed open access on the +usb:2-1:1.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c qemu-system-x86 --raw | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c570,c773
Target Context                system_u:object_r:udev_var_run_t:s0
Target Objects                /run/udev/data/+usb:2-1:1.0 [ file ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          f23m.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.12.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     f23m.localdomain
Platform                      Linux f23m.localdomain 4.5.0-300.fc24.x86_64 #1
                              SMP Mon Mar 14 17:03:27 UTC 2016 x86_64 x86_64
Alert Count                   30
First Seen                    2016-04-13 11:09:42 MDT
Last Seen                     2016-04-13 11:09:42 MDT
Local ID                      cceda960-03b3-4a1e-8b7f-a484475e0357

Raw Audit Messages
type=AVC msg=audit(1460567382.234:4051): avc:  denied  { open } for  pid=27788 comm="qemu-system-x86" path="/run/udev/data/+usb:2-1:1.0" dev="tmpfs" ino=13266 scontext=system_u:system_r:svirt_t:s0:c570,c773 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0


Hash: qemu-system-x86,svirt_t,udev_var_run_t,file,open

Comment 2 Lukas Vrabec 2016-04-14 12:49:55 UTC


*** This bug has been marked as a duplicate of bug 1323501 ***

Note You need to log in before you can comment on or make changes to this bug.