Bug 494354 - enable qemu sharing of parallel ports
Summary: enable qemu sharing of parallel ports
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-06 14:30 UTC by Michael J. Chudobiak
Modified: 2009-04-07 14:57 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-07 14:57:17 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michael J. Chudobiak 2009-04-06 14:30:51 UTC
It would be nice if the targeted policy offered a boolean for enabling virtualized OSs to access the parallel ports, to avoid this:


audit2allow -a
#============= qemu_t ==============
allow qemu_t printer_device_t:chr_file { read write ioctl };


audit2allow -a -w
type=AVC msg=audit(1239027944.475:30): avc:  denied  { write } for  pid=2976 comm="qemu-kvm" path="/dev/parport0" dev=tmpfs ino=6208 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


- Mike

Comment 1 Daniel Walsh 2009-04-06 14:56:10 UTC
What devices should I give it access to?

Comment 2 Michael J. Chudobiak 2009-04-06 15:14:18 UTC
/dev/parport*, in my case anyway.

Other people might need access to serial ports (/dev/ttyS*), but I have no experience with that.

I do use libvirt/kvm/qemu with USB port forwarding (for USB serial port access), but that seems to work fine with the existing policy.

- Mike

Comment 3 Daniel Walsh 2009-04-06 17:13:12 UTC
Add qemu_use_comm and virt_use_comm for (svirt_t) in rawhide.


Miroslav could you add something like

+## <desc>
+## <p>
+## Allow qemu to user serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
+
+

+tunable_policy(`qemu_use_comm',`
+       term_use_unallocated_ttys(sqemu_t)
+       dev_rw_printer(sqemu_t)
+')

Comment 4 Miroslav Grepl 2009-04-07 13:54:05 UTC
Fixed in selinux-policy-3.5.13-55.fc10

Comment 5 Michael J. Chudobiak 2009-04-07 14:18:53 UTC
I downloaded selinux-policy-3.5.13-55.fc10 and rebooted. What else do I need to do to make this work? I don't see any qemu_use_comm boolean.

[root@pekkala ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          permissive
Policy version:                 23
Policy from config file:        targeted

[root@pekkala ~]# getsebool -a | grep comm
httpd_tty_comm --> on

[root@pekkala ~]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.5.13-48.fc10.noarch
selinux-policy-3.5.13-55.fc10.noarch

- Mike

Comment 6 Miroslav Grepl 2009-04-07 14:24:40 UTC
Because you updated only selinux-policy. You should update also selinux-policy-targeted.

Comment 7 Michael J. Chudobiak 2009-04-07 14:29:38 UTC
OK - but I got selinux-policy from http://koji.fedoraproject.org/koji/packageinfo?packageID=32.

I can't find any selinux-policy-targeted builds there. Am I missing something?

- Mike

Comment 9 Michael J. Chudobiak 2009-04-07 14:57:17 UTC
Thanks for the super-quick resolution and helpfulness!

Confirmed as fixed.

- Mike


Note You need to log in before you can comment on or make changes to this bug.