2318409 – SELinux prevents USB hotplug of Prolific PL2303 USB to serial adaptor to a CentOS 6 guest

Bug 2318409 - SELinux prevents USB hotplug of Prolific PL2303 USB to serial adaptor to a CentOS 6 guest

Summary: SELinux prevents USB hotplug of Prolific PL2303 USB to serial adaptor to a Ce...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	41
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-13 14:12 UTC by Joachim Katzer
Modified:	2024-10-14 16:58 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joachim Katzer 2024-10-13 14:12:04 UTC

My system is a Geekom MiniPC IT11 with Fedora Silverblue 41 Beta and boxes and virt-manager installed as layered packages. 
A Prolific PL2303 USB to serial adaptor connect the PC to an old Garmin GPS device Foretrex 201 with a serial port.

Connecting a Prolific PL2303 USB to serial adaptor to CentOS6 does not work unless:
- Silverblue host user added to group dialout (not a bug)
- SELinux set to Permissive



Reproducible: Always

Steps to Reproduce:
1. Add user on host to group dialout
2. Setup VM in GNOME-Boxes.
2. Connect device with a serial port (e.g. Garmin GPS)
3. Redirect USB Device to VM (with SELinux enforced and then permissive), check /dev/ttyUSB0

3.3
Actual Results:  
If SELinux is enforced, redirection fails. GNOME-Boxes simply reports "Redirection .. failed").
If SELinux is permissive, redirection is successful.




Expected Results:  
Redirection should work also in Enforced mode.

Testing this issue requires a device with a serial port and a Prolific PL2303 USB to serial adaptor.

I am using an outdated Firefox 17 plugin to load data from the GPS device to the VM guest. That's the reason I cannot use a recent Linux distro.

For testing the issue it should be sufficient to check if /dev/ttyUSB0 shows up on the host at first, and then in VM after redirection.

Comment 1 Adam Williamson 2024-10-14 15:48:57 UTC

As the issue is an SELinux denial and it works in permissive mode, moving to selinux-policy. Joachim, it would be great if you can get the details about the SELinux denial. If you run the "SELinux Troubleshooter" app it should be able to automatically submit a bug report with all the needed details, which we can close this as a dupe of. Otherwise, can you at least do:

sudo ausearch -m avc

and post the output? thanks!

Comment 2 Joachim Katzer 2024-10-14 16:58:13 UTC

When I try to redirect the adaptor, no AVCs are logged.
I had to turn off dontaudit rules by the command "semodule -DB". Then the following AVCs are logged on redirecting /dev/ttyUSB0:

ime->Mon Oct 14 18:40:47 2024
type=AVC msg=audit(1728924047.690:1368): avc:  denied  { noatsecure } for  pid=5219 comm="polkitd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1
----
time->Mon Oct 14 18:40:47 2024
type=AVC msg=audit(1728924047.690:1369): avc:  denied  { rlimitinh } for  pid=5219 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1
----
time->Mon Oct 14 18:40:47 2024
type=AVC msg=audit(1728924047.690:1370): avc:  denied  { siginh } for  pid=5219 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=1

However, when dontaudit rules are active, then redirection fails even if SELinux is in "Permissive" mode.
The log entries are equal. After turning on the dontaudit rules by "semodule -B", redirection is working again in and only in "Permissive" mode.

Note You need to log in before you can comment on or make changes to this bug.