Start a guest with configuration like: <devices> <hostdev mode='subsystem' type='pci' managed='yes'> <source> <address bus='0x00' slot='0x19' function='0x00'/> </source> </hostdev> </devices> fails with: error: Failed to start domain rawhide-2009-05-05 get_real_device: /sys/bus/pci/devices/0000:00:19.0/config: Permission denied init_assigned_device: Error: Couldn't get real device (00:19.0)! Failed to initialize assigned device host=00:19.0 AVCs in permissive mode are: type=AVC msg=audit(1241555283.246:287): avc: denied { open } for pid=7906 comm="qemu-kvm" name="config" dev=sysfs ino=7788 scontext=system_u:system_r:svirt_t:s0:c269,c997 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1241555283.246:287): avc: denied { read write } for pid=7906 comm="qemu-kvm" name="config" dev=sysfs ino=7788 scontext=system_u:system_r:svirt_t:s0:c269,c997 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1241555283.246:287): avc: denied { read } for pid=7906 comm="qemu-kvm" name="0000:00:19.0" dev=sysfs ino=1261 scontext=system_u:system_r:svirt_t:s0:c269,c997 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file type=AVC msg=audit(1241555283.246:288): avc: denied { getattr } for pid=7906 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:19.0/resource" dev=sysfs ino=1247 scontext=system_u:system_r:svirt_t:s0:c269,c997 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
This gets "interesting". IMHO, the fact that SELinux denied access to the host PCI device is desirable here, because I wouldn't want to change SELinux policy to allow this by default. I imagine you'll suffer a similar problem trying to attach a host USB device to a guest VM. This suggests we'll likely need to start considering whether libvirtd should manage labelling of other non-disk based resources. ie have it relabel the specific PCI / USB device files needed when a <hostdev> is attached.
So if libvirt had labeled /sys/bus/pci/devices/0000:00:19.0/config svirt_image_t:MCS it would have had exclusive access. Or would we want shared access.
Exclusive access should work - this is the device's PCI config space, and once a guest has been assigned a device it should be the only process accessing it. We'd just need to be sure to re-label it after the guest has shut down. Maybe virNodeDeviceReAttach() could re-label? Also, what about the other two denials - i.e. the readlink on 0000:00:19.0 and the getattr on 0000:00:19.0/resource ?
This requires someone to follow through on the sysfs security labeling support, bug 228902. Two possible approaches were proposed there with prototype patches, but no one has taken it further.
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Looks like the current workaround for this is the virt_manage_sysfs boolean? setsebool -P virt_manage_sysfs on
Just would like to share some results on virt_manage_sysfs boolean. I configured guest domain to use usb device. Enabling virt_manage_sysfs boolean did not work for me. However after "echo 0 > /selinux/enforce" usb device is assigned to the guest successfully. "ausearch -m avc" shows empty result. Please excuse me if this bug does not relate to usb device assignment.
What AVC's are you seeing after you set this boolean. The AVC's you showed above, according to policy would be allowed with that boolean. # audit2allow -w -i /tmp/t type=AVC msg=audit(1241555283.246:287): avc: denied { open } for pid=7906 comm="qemu-kvm" name="config" dev=sysfs ino=7788 scontext=system_u:system_r:svirt_t:s0:c269,c997 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1241555283.246:287): Was caused by: The boolean virt_manage_sysfs was set incorrectly. Description: Allow svirt to manage device configuration, (pci) Allow access by executing: # setsebool -P virt_manage_sysfs 1 ...
My situation is slightly different from one described in initial report for this bug. I attempt to supply USB device to the guest, not the PCI one. Probably virt_manage_sysfs relates to PCI device assignment only. Still, USB device assignment is also the common case and as far as I understood from Comment #1 it is closely related, so I'm posting the information here. I've double-checked that attempt to assign USB device to the guest fails when selinux in enforcing mode, while exactly the same actions assign the USB device successfully to the guest when selinux switched to permissive mode. It's strange but AVC's are empty. Probably there is something with audit configuration on my system? My audit configuration is a default one and I have not touched it since fedora 11 was installed.
run semodule -DB setenforce 0 assign and use USB device semodule -B setenforce 1 send us the avc's you not have in /var/log/audit/audit.log thanks.
Or better yes try selinux-policy-3.6.12-54.fc11 in koji and see if this fixes your problem Turn on virt_use_usb boolean setsebool -P virt_use_usb=1
I've installed selinux-policy-3.6.12-54.fc11 from koji but it looks like there is no virt_use_usb boolean. "getsebool -a | grep virt_use_usb" output is empty. Trying "semodule -DB" way. These are relevant entries from "ausearch -m avc": time->Fri Jun 19 19:55:38 2009 type=SYSCALL msg=audit(1245426938.761:987): arch=c000003e syscall=2 success=yes exit=13 a0=7fffe2f3ba60 a1=802 a2=7fffe2f3ba75 a3=fffffff3 items=0 ppid=1 pid=7395 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c87,c755 key=(null) type=AVC msg=audit(1245426938.761:987): avc: denied { write } for pid=7395 comm="qemu-kvm" name="002" dev=usbfs ino=487 scontext=system_u:system_r:svirt_t:s0:c87,c755 tcontext=system_u:object_r:usbfs_t:s0 tclass=file time->Fri Jun 19 20:00:40 2009 type=SYSCALL msg=audit(1245427240.650:1276): arch=c000003e syscall=16 success=yes exit=0 a0=d a1=4008550d a2=7fff86f2f958 a3=7fff86f2f980 items=0 ppid=1 pid=7995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c269,c900 key=(null) type=AVC msg=audit(1245427240.650:1276): avc: denied { write } for pid=7995 comm="qemu-kvm" path="/proc/bus/usb/003/002" dev=usbfs ino=487 scontext=system_u:system_r:svirt_t:s0:c269,c900 tcontext=system_u:object_r:usbfs_t:s0 tclass=file
Make that 55, It only got into Rawhide package. sorry.
Thank you, it works just fine with selinux-policy-3.6.12-55.fc11 from koji.
bug #504444 covers USB passthrough, this bug covers PCI passthrough Is virt_manage_sysfs thought to be enough for PCI passthrough?
(In reply to comment #15) > bug #504444 covers USB passthrough, this bug covers PCI passthrough > > Is virt_manage_sysfs thought to be enough for PCI passthrough? It isn't ideal as it opens up full access to the host sysfs. We have an kernel patch under development to support fine-grained sysfs security labeling which would allow libvirtd to relabel the particular sysfs nodes to be accessible only to the particular guest. The same would be needed for usbfs.
Okay, confirmed it works with virt_manage_sysfs I'm going to close this bug since virt_manage_sysfs is the best we can do for now * Tue May 5 2009 Dan Walsh <dwalsh> 3.6.12-29 - Allow svirt to manage pci and other sysfs device data