On 02/17/2016 06:45 PM, Robert Nichols wrote:
> On 02/15/2016 12:25 PM, Robert Nichols wrote:
>> On 02/15/2016 10:03 AM, Miroslav Grepl wrote:
>>> On 02/14/2016 01:43 AM, Robert Nichols wrote:
>>>> In CentOS 6.7 with Windows 7 running in a QEMU/KVM virtual machine,
>>>> when I power-on a printer that the Windows VM uses via networking
>>>> I get the below AVC alert. Anyone have any idea what is going on?
>>>> I haven't noticed anything not working.
>>>>
>>>
>>> Is it a USB printer?
>>
>> The host is using a USB connection with CUPS. The printer also has a
>> network interface, and I let Windows machines (both real and VM) use
>> it directly via the network rather than setting up Samba print sharing.
>
> I find I get this alert even on a fresh boot of the host with no VMs
> and no virt-manager running. Only the libvirtd service is running.
> Looking up the reported inode number, I find /dev/bus/usb/003/002:
>
Could you open a new bug against libvirt? It should be relabaled back to
the default label if there are no running VMs.
Thank you.
> # ls -Z /dev/bus/usb/003/002
> crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c68,c582
> /dev/bus/usb/003/002
> # lsof /dev/bus/usb/003/002
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> qemu-kvm 4370 qemu 28u CHR 189,257 0t271 10937 /dev/bus/usb/003/002
>
> If there are no other suggestions, I'm going to DONTAUDIT this to get
> it out of my hair.
>
>>>> SELinux is preventing /lib/udev/udev-configure-printer from read access
>>>> on the chr_file 003.
>>>>
>>>> ***** Plugin catchall (100. confidence) suggests
>>>> ***************************
>>>>
>>>> If you believe that udev-configure-printer should be allowed read
>>>> access
>>>> on the 003 chr_file by default.
>>>> Then you should report this as a bug.
>>>> You can generate a local policy module to allow this access.
>>>> Do
>>>> allow this access for now by executing:
>>>> # grep udev-configure- /var/log/audit/audit.log | audit2allow -M mypol
>>>> # semodule -i mypol.pp
>>>>
>>>> Additional Information:
>>>> Source Context system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
>>>> Target Context
>>>> system_u:object_r:svirt_image_t:s0:c255,c554
>>>> Target Objects 003 [ chr_file ]
>>>> Source udev-configure-
>>>> Source Path /lib/udev/udev-configure-printer
>>>> Port <Unknown>
>>>> Host omega-3g.local
>>>> Source RPM Packages system-config-printer-udev-1.1.16-25.el6.x86_64
>>>> Target RPM Packages
>>>> Policy RPM selinux-policy-3.7.19-279.el6_7.8.noarch
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> Enforcing Mode Enforcing
>>>> Host Name omega-3g.local
>>>> Platform Linux omega-3g.local
>>>> 3.18.21-16.el6.x86_64
>>>> #1 SMP
>>>> Sat Sep 26 01:24:19 UTC 2015 x86_64
>>>> x86_64
>>>> Alert Count 1
>>>> First Seen Sat 13 Feb 2016 06:18:29 PM CST
>>>> Last Seen Sat 13 Feb 2016 06:18:29 PM CST
>>>> Local ID c3c9d30e-0835-4402-b342-acddd26e1686
>>>>
>>>> Raw Audit Messages
>>>> type=AVC msg=audit(1455409109.607:29449): avc: denied { read } for
>>>> pid=32326 comm="udev-configure-" name="003" dev="devtmpfs" ino=2706
>>>> scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
>>>> tcontext=system_u:object_r:svirt_image_t:s0:c255,c554 tclass=chr_file
>>>> permissive=0
>>>>
>>>>
>>>> type=SYSCALL msg=audit(1455409109.607:29449): arch=x86_64 syscall=open
>>>> success=no exit=EACCES a0=7ffe1bd16eb0 a1=0 a2=d a3=0 items=0 ppid=1
>>>> pid=32326 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=udev-configure-
>>>> exe=/lib/udev/udev-configure-printer
>>>> subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)
>>>>
>>>> Hash: udev-configure-,cupsd_config_t,svirt_image_t,chr_file,read
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
