It would be nice if the targeted policy offered a boolean for enabling virtualized OSs to access the parallel ports, to avoid this: audit2allow -a #============= qemu_t ============== allow qemu_t printer_device_t:chr_file { read write ioctl }; audit2allow -a -w type=AVC msg=audit(1239027944.475:30): avc: denied { write } for pid=2976 comm="qemu-kvm" path="/dev/parport0" dev=tmpfs ino=6208 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. - Mike
What devices should I give it access to?
/dev/parport*, in my case anyway. Other people might need access to serial ports (/dev/ttyS*), but I have no experience with that. I do use libvirt/kvm/qemu with USB port forwarding (for USB serial port access), but that seems to work fine with the existing policy. - Mike
Add qemu_use_comm and virt_use_comm for (svirt_t) in rawhide. Miroslav could you add something like +## <desc> +## <p> +## Allow qemu to user serial/parallel communication ports +## </p> +## </desc> +gen_tunable(qemu_use_comm, false) + + +tunable_policy(`qemu_use_comm',` + term_use_unallocated_ttys(sqemu_t) + dev_rw_printer(sqemu_t) +')
Fixed in selinux-policy-3.5.13-55.fc10
I downloaded selinux-policy-3.5.13-55.fc10 and rebooted. What else do I need to do to make this work? I don't see any qemu_use_comm boolean. [root@pekkala ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: permissive Policy version: 23 Policy from config file: targeted [root@pekkala ~]# getsebool -a | grep comm httpd_tty_comm --> on [root@pekkala ~]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.5.13-48.fc10.noarch selinux-policy-3.5.13-55.fc10.noarch - Mike
Because you updated only selinux-policy. You should update also selinux-policy-targeted.
OK - but I got selinux-policy from http://koji.fedoraproject.org/koji/packageinfo?packageID=32. I can't find any selinux-policy-targeted builds there. Am I missing something? - Mike
http://koji.fedoraproject.org/koji/buildinfo?buildID=96877 for download policy-targeted: http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.5.13/55.fc10/noarch/selinux-policy-targeted-3.5.13-55.fc10.noarch.rpm
Thanks for the super-quick resolution and helpfulness! Confirmed as fixed. - Mike