Bug 494354 - enable qemu sharing of parallel ports
enable qemu sharing of parallel ports
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-06 10:30 EDT by Michael J. Chudobiak
Modified: 2009-04-07 10:57 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-07 10:57:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael J. Chudobiak 2009-04-06 10:30:51 EDT
It would be nice if the targeted policy offered a boolean for enabling virtualized OSs to access the parallel ports, to avoid this:


audit2allow -a
#============= qemu_t ==============
allow qemu_t printer_device_t:chr_file { read write ioctl };


audit2allow -a -w
type=AVC msg=audit(1239027944.475:30): avc:  denied  { write } for  pid=2976 comm="qemu-kvm" path="/dev/parport0" dev=tmpfs ino=6208 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


- Mike
Comment 1 Daniel Walsh 2009-04-06 10:56:10 EDT
What devices should I give it access to?
Comment 2 Michael J. Chudobiak 2009-04-06 11:14:18 EDT
/dev/parport*, in my case anyway.

Other people might need access to serial ports (/dev/ttyS*), but I have no experience with that.

I do use libvirt/kvm/qemu with USB port forwarding (for USB serial port access), but that seems to work fine with the existing policy.

- Mike
Comment 3 Daniel Walsh 2009-04-06 13:13:12 EDT
Add qemu_use_comm and virt_use_comm for (svirt_t) in rawhide.


Miroslav could you add something like

+## <desc>
+## <p>
+## Allow qemu to user serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
+
+

+tunable_policy(`qemu_use_comm',`
+       term_use_unallocated_ttys(sqemu_t)
+       dev_rw_printer(sqemu_t)
+')
Comment 4 Miroslav Grepl 2009-04-07 09:54:05 EDT
Fixed in selinux-policy-3.5.13-55.fc10
Comment 5 Michael J. Chudobiak 2009-04-07 10:18:53 EDT
I downloaded selinux-policy-3.5.13-55.fc10 and rebooted. What else do I need to do to make this work? I don't see any qemu_use_comm boolean.

[root@pekkala ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          permissive
Policy version:                 23
Policy from config file:        targeted

[root@pekkala ~]# getsebool -a | grep comm
httpd_tty_comm --> on

[root@pekkala ~]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.5.13-48.fc10.noarch
selinux-policy-3.5.13-55.fc10.noarch

- Mike
Comment 6 Miroslav Grepl 2009-04-07 10:24:40 EDT
Because you updated only selinux-policy. You should update also selinux-policy-targeted.
Comment 7 Michael J. Chudobiak 2009-04-07 10:29:38 EDT
OK - but I got selinux-policy from http://koji.fedoraproject.org/koji/packageinfo?packageID=32.

I can't find any selinux-policy-targeted builds there. Am I missing something?

- Mike
Comment 9 Michael J. Chudobiak 2009-04-07 10:57:17 EDT
Thanks for the super-quick resolution and helpfulness!

Confirmed as fixed.

- Mike

Note You need to log in before you can comment on or make changes to this bug.