Red Hat Bugzilla – Bug 751725
virsh detach-device does not change owner and selinux label of USB device if device managed
Last modified: 2012-06-20 02:36:17 EDT
Description of problem: After virsh detach-device the owner and selinux label of USB device is not transitioned back to the host system if the device has managed=yes set. I'm attaching the reproducer. # ./virsh-detach-usb + Printing usb device details before test crw-rw-r--. root root system_u:object_r:usb_device_t:SystemLow /dev/bus/usb/003/002 + Creating image for guest 1+0 records in 1+0 records out 1048576 bytes (1.0 MB) copied, 0.00320035 s, 328 MB/s + Creating VM xml with given usb device + Starting VM Domain guest1-dynamic created from guest1.xml + Printing usb device details crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c273,c627 /dev/bus/usb/003/002 + Detaching USB device Device detached successfully + Stopping VM Domain guest1-dynamic destroyed + Printing usb device details after detach and destroy crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c273,c627 /dev/bus/usb/003/002 + Cleanup Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. use the attached reproducer Actual results: usb device has owner/selinux label set to virtual machine Expected results: usb device has owner/selinux label set to host machine Additional info: Please note that if I do only virsh-destroy the device is transtitioned back
This might be DUPLICATE with https://bugzilla.redhat.com/show_bug.cgi?id=730930, as "managed" is just meaningless for USB device currently, it's supported in XML, but no codes for it actually.
There are 2 issues in here: 1. As Osier said, need "managed" mode support for host usb device, otherwise, can't return this USB to host with managed='yes' after shutting down guest. 2. The other is libvirt need to do some clean up work and should make sure the detached USB device with original permission and selinux context if libvirt has ever modified them. Of course, also merge the above 2 into 1 as a RFE such as bug 730930.
commit 13d5a6b83d5252ce323889022e142e797a96d89c Author: Michal Privoznik <mprivozn@redhat.com> AuthorDate: Thu Dec 15 17:51:56 2011 +0100 Commit: Michal Privoznik <mprivozn@redhat.com> CommitDate: Fri Dec 16 11:53:03 2011 +0100 qemu: Don't drop hostdev config until security label restore Currently, on device detach, we parse given XML, find the device in domain object, free it and try to restore security labels. However, in some cases (e.g. usb hostdev) parsed XML contains less information than freed device. In usb case it is bus & device IDs. These are needed during label restoring as a symlink into /dev/bus is generated from them. Therefore don't drop device configuration until security labels are restored. v0.9.8-56-g13d5a6b
verify pass on libvirt-0.9.9-1.el6.x86_64 kernel-2.6.32-225.el6.x86_64 qemu-kvm-0.12.1.2-2.213.el6.x86_64 #ls -Z /dev/bus/usb/002/003 crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/003 # virsh attach-device kvm-rhel6u2-x86_64-new usb.xml Device attached successfully # ls -Z /dev/bus/usb/002/003 crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c98,c194 /dev/bus/usb/002/003 # virsh detach-device kvm-rhel6u2-x86_64-new usb.xml Device detached successfully # virsh destroy kvm-rhel6u2-x86_64-new Domain kvm-rhel6u2-x86_64-new destroyed # ls -Z /dev/bus/usb/002/003 crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/003
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0748.html