RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 751725 - virsh detach-device does not change owner and selinux label of USB device if device managed
Summary: virsh detach-device does not change owner and selinux label of USB device if ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.2
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Michal Privoznik
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-07 11:08 UTC by Miroslav Vadkerti
Modified: 2012-06-20 06:36 UTC (History)
10 users (show)

Fixed In Version: libvirt-0.9.9-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 06:36:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0748 0 normal SHIPPED_LIVE Low: libvirt security, bug fix, and enhancement update 2012-06-19 19:31:38 UTC

Description Miroslav Vadkerti 2011-11-07 11:08:29 UTC 
Description of problem:
After virsh detach-device the owner and selinux label of USB device is not transitioned back to the host system if the device has managed=yes set. I'm attaching the reproducer.

# ./virsh-detach-usb 
+ Printing usb device details before test
crw-rw-r--. root root system_u:object_r:usb_device_t:SystemLow /dev/bus/usb/003/002
+ Creating image for guest
1+0 records in
1+0 records out
1048576 bytes (1.0 MB) copied, 0.00320035 s, 328 MB/s
+ Creating VM xml with given usb device
+ Starting VM
Domain guest1-dynamic created from guest1.xml

+ Printing usb device details
crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c273,c627 /dev/bus/usb/003/002
+ Detaching USB device
Device detached successfully

+ Stopping VM
Domain guest1-dynamic destroyed

+ Printing usb device details after detach and destroy
crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c273,c627 /dev/bus/usb/003/002
+ Cleanup

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. use the attached reproducer
  
Actual results:
usb device has owner/selinux label set to virtual machine

Expected results:
usb device has owner/selinux label set to host machine

Additional info:
Please note that if I do only virsh-destroy the device is transtitioned back
Comment 2 Osier Yang 2011-11-09 03:18:32 UTC 
This might be DUPLICATE with https://bugzilla.redhat.com/show_bug.cgi?id=730930, as "managed" is just meaningless for USB device currently, it's supported in XML,
but no codes for it actually.
Comment 4 Alex Jia 2011-11-11 09:22:22 UTC 
There are 2 issues in here:
1. As Osier said, need "managed" mode support for host usb device,
otherwise, can't return this USB to host with managed='yes' after 
shutting down guest.

2. The other is libvirt need to do some clean up work and should 
make sure the detached USB device with original permission and 
selinux context if libvirt has ever modified them.

Of course, also merge the above 2 into 1 as a RFE such as bug 730930.
Comment 5 Michal Privoznik 2011-12-16 15:22:05 UTC 
commit 13d5a6b83d5252ce323889022e142e797a96d89c
Author:     Michal Privoznik <mprivozn>
AuthorDate: Thu Dec 15 17:51:56 2011 +0100
Commit:     Michal Privoznik <mprivozn>
CommitDate: Fri Dec 16 11:53:03 2011 +0100

    qemu: Don't drop hostdev config until security label restore
    
    Currently, on device detach, we parse given XML, find the device
    in domain object, free it and try to restore security labels.
    However, in some cases (e.g. usb hostdev) parsed XML contains
    less information than freed device. In usb case it is bus & device
    IDs. These are needed during label restoring as a symlink into
    /dev/bus is generated from them. Therefore don't drop device
    configuration until security labels are restored.

v0.9.8-56-g13d5a6b
Comment 7 weizhang 2012-01-10 08:17:53 UTC 
verify pass on
libvirt-0.9.9-1.el6.x86_64
kernel-2.6.32-225.el6.x86_64
qemu-kvm-0.12.1.2-2.213.el6.x86_64


#ls -Z /dev/bus/usb/002/003
crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/003

# virsh attach-device kvm-rhel6u2-x86_64-new usb.xml 
Device attached successfully

# ls -Z /dev/bus/usb/002/003
crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c98,c194 /dev/bus/usb/002/003

# virsh detach-device kvm-rhel6u2-x86_64-new usb.xml
Device detached successfully

# virsh destroy kvm-rhel6u2-x86_64-new
Domain kvm-rhel6u2-x86_64-new destroyed

# ls -Z /dev/bus/usb/002/003
crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/003
Comment 9 errata-xmlrpc 2012-06-20 06:36:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0748.html
Note You need to log in before you can comment on or make changes to this bug.