My system is a Geekom MiniPC IT11 with Fedora Silverblue 41 Beta and boxes and virt-manager installed as layered packages. A Prolific PL2303 USB to serial adaptor connect the PC to an old Garmin GPS device Foretrex 201 with a serial port. Connecting a Prolific PL2303 USB to serial adaptor to CentOS6 does not work unless: - Silverblue host user added to group dialout (not a bug) - SELinux set to Permissive Reproducible: Always Steps to Reproduce: 1. Add user on host to group dialout 2. Setup VM in GNOME-Boxes. 2. Connect device with a serial port (e.g. Garmin GPS) 3. Redirect USB Device to VM (with SELinux enforced and then permissive), check /dev/ttyUSB0 3.3 Actual Results: If SELinux is enforced, redirection fails. GNOME-Boxes simply reports "Redirection .. failed"). If SELinux is permissive, redirection is successful. Expected Results: Redirection should work also in Enforced mode. Testing this issue requires a device with a serial port and a Prolific PL2303 USB to serial adaptor. I am using an outdated Firefox 17 plugin to load data from the GPS device to the VM guest. That's the reason I cannot use a recent Linux distro. For testing the issue it should be sufficient to check if /dev/ttyUSB0 shows up on the host at first, and then in VM after redirection.
As the issue is an SELinux denial and it works in permissive mode, moving to selinux-policy. Joachim, it would be great if you can get the details about the SELinux denial. If you run the "SELinux Troubleshooter" app it should be able to automatically submit a bug report with all the needed details, which we can close this as a dupe of. Otherwise, can you at least do: sudo ausearch -m avc and post the output? thanks!
When I try to redirect the adaptor, no AVCs are logged. I had to turn off dontaudit rules by the command "semodule -DB". Then the following AVCs are logged on redirecting /dev/ttyUSB0: ime->Mon Oct 14 18:40:47 2024 type=AVC msg=audit(1728924047.690:1368): avc: denied { noatsecure } for pid=5219 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 ---- time->Mon Oct 14 18:40:47 2024 type=AVC msg=audit(1728924047.690:1369): avc: denied { rlimitinh } for pid=5219 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 ---- time->Mon Oct 14 18:40:47 2024 type=AVC msg=audit(1728924047.690:1370): avc: denied { siginh } for pid=5219 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1 However, when dontaudit rules are active, then redirection fails even if SELinux is in "Permissive" mode. The log entries are equal. After turning on the dontaudit rules by "semodule -B", redirection is working again in and only in "Permissive" mode.
This message is a reminder that Fedora Linux 41 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 41 on 2025-12-15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '41'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 41 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 41 entered end-of-life (EOL) status on 2025-12-15. Fedora Linux 41 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.