Created attachment 1146917 [details] journal from USB insertion until VM shutdown Description of problem: When a USB stick is added to a VM in virt-manager, and the VM is launched, I get a bunch of selinux denials, and the USB stick isn't visible in the VM. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-158.12.fc23.noarch How reproducible: Always Steps to Reproduce: 1. Insert wiped USB stick 2. Launch virt-manager and authenticate 3. virt-manager click on VM > Open > Details 4. Add hardware 5. select USB Host Device, then choose the USB stick, this is the only USB device selected for use in the VM 6. start VM Actual results: USB stick doesn't appear in VM. Journal contains multiple AVC denials, over 30 setroubleshoot messages, looks like one for each USB hub and device. Additional info: [root@f23m ~]# lsusb Bus 002 Device 003: ID 05ac:8242 Apple, Inc. Built-in IR Receiver Bus 002 Device 002: ID 0424:2513 Standard Microsystems Corp. 2.0 Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 001 Device 003: ID 05ac:8509 Apple, Inc. FaceTime HD Camera Bus 001 Device 015: ID 0951:1654 Kingston Technology Bus 001 Device 005: ID 05ac:0252 Apple, Inc. Internal Keyboard/Trackpad (ANSI) Bus 001 Device 008: ID 05ac:821a Apple, Inc. Bluetooth Host Controller Bus 001 Device 004: ID 0a5c:4500 Broadcom Corp. BCM2046B1 USB 2.0 Hub (part of BCM2046 Bluetooth) Bus 001 Device 002: ID 0424:2513 Standard Microsystems Corp. 2.0 Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub [root@f23m ~]# sealert -l bc02bbe3-fa04-4449-bcb1-09b91a9a951d SELinux is preventing qemu-system-x86 from read access on the file +usb:2-1:1.0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-system-x86 should be allowed read access on the +usb:2-1:1.0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c qemu-system-x86 --raw | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c189,c982 Target Context system_u:object_r:udev_var_run_t:s0 Target Objects +usb:2-1:1.0 [ file ] Source qemu-system-x86 Source Path qemu-system-x86 Port <Unknown> Host f23m.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.12.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name f23m.localdomain Platform Linux f23m.localdomain 4.5.0-300.fc24.x86_64 #1 SMP Mon Mar 14 17:03:27 UTC 2016 x86_64 x86_64 Alert Count 31 First Seen 2016-04-13 10:58:07 MDT Last Seen 2016-04-13 10:58:07 MDT Local ID bc02bbe3-fa04-4449-bcb1-09b91a9a951d Raw Audit Messages type=AVC msg=audit(1460566687.834:3977): avc: denied { read } for pid=26451 comm="qemu-system-x86" name="+usb:2-1:1.0" dev="tmpfs" ino=13266 scontext=system_u:system_r:svirt_t:s0:c189,c982 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 Hash: qemu-system-x86,svirt_t,udev_var_run_t,file,read
So I did this: # ausearch -c qemu-system-x86 --raw | audit2allow -M virtusb # semodule -i virtusb.pp journal reports this: [197210.666512] f23m.localdomain kernel: SELinux: 32768 avtab hash slots, 103680 rules. [197210.694428] f23m.localdomain kernel: SELinux: 32768 avtab hash slots, 103680 rules. [197210.730485] f23m.localdomain kernel: SELinux: 8 users, 14 roles, 4930 types, 305 bools, 1 sens, 1024 cats [197210.730491] f23m.localdomain kernel: SELinux: 92 classes, 103680 rules [197210.734188] f23m.localdomain kernel: SELinux: Permission validate_trans in class security not defined in policy. [197210.734295] f23m.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed [197187.840702] f23m.localdomain dbus[1349]: avc: received policyload notice (seqno=2) [197187.841164] f23m.localdomain dbus[1214]: avc: received policyload notice (seqno=2) [197187.841805] f23m.localdomain dbus[21308]: avc: received policyload notice (seqno=2) [197187.842169] f23m.localdomain audit: MAC_POLICY_LOAD policy loaded auid=1000 ses=10 [197187.842680] f23m.localdomain dbus[21776]: avc: received policyload notice (seqno=2) [197187.846865] f23m.localdomain dbus[21867]: avc: received policyload notice (seqno=2) [197187.847120] f23m.localdomain dbus[21396]: avc: received policyload notice (seqno=2) [197187.847560] f23m.localdomain dbus[826]: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=? [197187.847863] f23m.localdomain org.a11y.Bus[1214]: Reloaded configuration [197187.848061] f23m.localdomain org.a11y.Bus[21308]: Reloaded configuration [197187.848248] f23m.localdomain org.a11y.Bus[21776]: Reloaded configuration [197187.848723] f23m.localdomain /usr/libexec/gdm-x-session[21716]: Reloaded configuration [197187.848924] f23m.localdomain /usr/libexec/gdm-wayland-session[1184]: Reloaded configuration [197187.849281] f23m.localdomain /usr/libexec/gdm-wayland-session[21302]: Reloaded configuration [197187.857243] f23m.localdomain dbus[826]: [system] Reloaded configuration And yet I still get AVC denials when I launch the VM, and the USB device is still not visible in the guest VM. # sealert -l cceda960-03b3-4a1e-8b7f-a484475e0357 SELinux is preventing qemu-system-x86 from open access on the file /run/udev/data/+usb:2-1:1.0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-system-x86 should be allowed open access on the +usb:2-1:1.0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c qemu-system-x86 --raw | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c570,c773 Target Context system_u:object_r:udev_var_run_t:s0 Target Objects /run/udev/data/+usb:2-1:1.0 [ file ] Source qemu-system-x86 Source Path qemu-system-x86 Port <Unknown> Host f23m.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.12.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name f23m.localdomain Platform Linux f23m.localdomain 4.5.0-300.fc24.x86_64 #1 SMP Mon Mar 14 17:03:27 UTC 2016 x86_64 x86_64 Alert Count 30 First Seen 2016-04-13 11:09:42 MDT Last Seen 2016-04-13 11:09:42 MDT Local ID cceda960-03b3-4a1e-8b7f-a484475e0357 Raw Audit Messages type=AVC msg=audit(1460567382.234:4051): avc: denied { open } for pid=27788 comm="qemu-system-x86" path="/run/udev/data/+usb:2-1:1.0" dev="tmpfs" ino=13266 scontext=system_u:system_r:svirt_t:s0:c570,c773 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 Hash: qemu-system-x86,svirt_t,udev_var_run_t,file,open
*** This bug has been marked as a duplicate of bug 1323501 ***