Summary: SELinux is preventing /usr/bin/qemu "read write" access on 007. Detailed Description: SELinux denied access requested by qemu. It is not expected that this access is required by qemu and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:svirt_t:s0:c358,c541 Target Context system_u:object_r:usb_device_t:s0 Target Objects 007 [ chr_file ] Source qemu Source Path /usr/bin/qemu Port <Unknown> Host (removed) Source RPM Packages qemu-system-x86-0.11.0-13.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-92.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux home-yahoo 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Wed 10 Mar 2010 03:03:57 PM PST Last Seen Wed 10 Mar 2010 03:03:57 PM PST Local ID ec92fde6-3374-4625-998d-6b2e9c455fac Line Numbers Raw Audit Messages node=home-yahoo type=AVC msg=audit(1268262237.93:26553): avc: denied { read write } for pid=2040 comm="qemu" name="007" dev=devtmpfs ino=1364656 scontext=system_u:system_r:svirt_t:s0:c358,c541 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file node=home-yahoo type=SYSCALL msg=audit(1268262237.93:26553): arch=c000003e syscall=2 success=no exit=-13 a0=7fffac9ca460 a1=802 a2=7fffac9ca474 a3=fffffff4 items=0 ppid=1 pid=2040 auid=500 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=1 comm="qemu" exe="/usr/bin/qemu" subj=system_u:system_r:svirt_t:s0:c358,c541 key=(null) Hash String generated from catchall,qemu,svirt_t,usb_device_t,chr_file,read,write audit2allow suggests: #============= svirt_t ============== allow svirt_t usb_device_t:chr_file { read write };
Is this a case of libvirt failing to label the usb device or could it be udev coming in after the fact and labeling it back.
Please provide the libvirt RPM version info, and also 'virsh dumpxml $GUESTNAME' and /var/log/libvirt/$GUEST.log Dan, this is most likely just a limitation of libvirt in F12 not being able to label certain types of devices correctly. The guest XML should confirm. This will be addressed in F13 regardless
libvirt --> libvirt-0.7.1-15.fc12.x86_64
Created attachment 400310 [details] Output of sudo virsh dumpxml Fedora12
Created attachment 400311 [details] /var/log/libvirt/qemu/ Logfile
Hmm, the guest XML doesn't show it for some reason, but the log file indicates you were trying to pass a host PCI device to the guest: LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-kvm -S -M pc-0.11 -m 2048 -smp 2 -name Fedora12 -uuid 04b21a08-80ca-016d-c641-8ad0db220460 -monitor unix:/var/lib/libvirt/qemu/Fedora12.monitor,server,nowait -boot c -drive file=/var/lib/libvirt/images/Fedora12.img,if=virtio,index=0,boot=on,format=raw -drive file=,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:7b:b6:f3,vlan=0,model=virtio,name=virtio.0 -net tap,fd=22,vlan=0,name=tap.0 -serial pty -parallel none -usb -usbdevice tablet -vnc 127.0.0.1:0 -k en-us -vga cirrus -soundhw es1370 -pcidevice host=15:00.1 And the selinux trace references a USB issue. Sean, can you make sure you are attaching the correct XML and logfile? Did you attempt to attach a USB device through virt-manager, then start the guest which caused this issue?
Yep. I attempted to add the PCI device which corresponded to my USB controller. Related bug also filed: https://bugzilla.redhat.com/show_bug.cgi?id=573850
*** This bug has been marked as a duplicate of bug 504444 ***