As discussed with Cole on IRC, in current F13, virt-manager cannot launch a VM with a host USB device attached to it, if SELinux is set to enforcing. Cole pointed out there's an sebool for this - virt_use_usb - but system-config-selinux shows that bool already checked. The denial messages from /var/log/messages: Mar 22 11:21:38 adam kernel: type=1400 audit(1269282098.531:28800): avc: denied { read } for pid=3531 comm="qemu-kvm" name="usb1" dev=sysfs ino=9533 scontext=system_u:system_r:svirt_t:s0:c397,c889 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file Mar 22 11:21:38 adam kernel: type=1400 audit(1269282098.531:28801): avc: denied { read } for pid=3531 comm="qemu-kvm" name="devnum" dev=sysfs ino=9523 scontext=system_u:system_r:svirt_t:s0:c397,c889 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Mar 22 11:21:38 adam kernel: type=1400 audit(1269282098.531:28802): avc: denied { open } for pid=3531 comm="qemu-kvm" name="devnum" dev=sysfs ino=9523 scontext=system_u:system_r:svirt_t:s0:c397,c889 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Mar 22 11:21:38 adam kernel: type=1400 audit(1269282098.531:28803): avc: denied { getattr } for pid=3531 comm="qemu-kvm" path="/sys/devices/pci0000:00/0000:00:1a.7/usb1/devnum" dev=sysfs ino=9523 scontext=system_u:system_r:svirt_t:s0:c397,c889 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Mar 22 11:21:38 adam kernel: type=1400 audit(1269282098.537:28804): avc: denied { read write } for pid=3531 comm="qemu-kvm" name="002" dev=devtmpfs ino=223009 scontext=system_u:system_r:svirt_t:s0:c397,c889 tcontext=system_u:object_r:svirt_image_t:s0:c397,c889 tclass=chr_file Mar 22 11:21:38 adam kernel: type=1400 audit(1269282098.537:28805): avc: denied { open } for pid=3531 comm="qemu-kvm" name="002" dev=devtmpfs ino=223009 scontext=system_u:system_r:svirt_t:s0:c397,c889 tcontext=system_u:object_r:svirt_image_t:s0:c397,c889 tclass=chr_file http://fpaste.org/qAU6/
You need virt_use_sysfs for some of these. svirt_image_t:chr_file access fixed in Fixed in selinux-policy-3.7.15-4.fc13.noarch Miroslav, these fixes need to be back ported into F12.
Fixed in selinux-policy-3.6.32-106.fc12
selinux-policy-3.7.15-4.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
"You need virt_use_sysfs for some of these." I would argue, in that case, that virt_use_usb should imply virt_use_sysfs, or something similar. The description of virt_use_usb just says "Allow virt to use usb devices"; it seems fairly reasonable for the user to think that enabling virt_use_usb is what is necessary to use USB devices in libvirt. It's something of a large leap of intuition to realize you should also enable virt_use_sysfs . Do you agree? If so, who should I report that to? I'll test the update soon. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
Oddly, after installing this update and a few others and rebooting, I couldn't get the VM to see the USB device at all, whatever I set SELinux to. I'll try it again later and see if it was just a one-off.
I actually would like to get rid of the virt_use booleans since one or both of these came into being before the kernel/libvirt supported labeling on usb/sysfs.
Daniel, What do you think?
after a reboot, I'm able to see the host USB device in the VM even with selinux set to enforcing, if both bools are checked. If I uncheck the sysfs bool and restart libvirtd, the VM starts up but does not see the host USB device. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Ok I am going to eliminate virt_use_sysfs And add the access to virt_use_usb, since this is what the admin would suspect. unable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) dev_read_sysfs(svirt_t) fs_manage_dos_dirs(svirt_t) fs_manage_dos_files(svirt_t) ') So the question, I have is whether we still need dev_rw_usbfs(svirt_t)? Which allows the confined virtual machine to read/write files on usbfs and usbdevfs.
libvirt will explicitly label all USB devices with the MCS label associated with the VM, so I agree there should be no need to allow blanket access to host USB devices any more. The file we label is /dev/usb/NNN/MMM for the matching bus/dev addr. We do the similar for PCI devices, but this time in sysfs.
Fixed in selinux-policy-3.7.16-1.fc13.noarch
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.