On 02/23/2016 04:00 AM, Robert Nichols wrote:
> On 02/18/2016 07:30 AM, Miroslav Grepl wrote:
>> On 02/17/2016 06:45 PM, Robert Nichols wrote:
>>> On 02/15/2016 12:25 PM, Robert Nichols wrote:
>>>> On 02/15/2016 10:03 AM, Miroslav Grepl wrote:
>>>>> On 02/14/2016 01:43 AM, Robert Nichols wrote:
>>>>>> In CentOS 6.7 with Windows 7 running in a QEMU/KVM virtual machine,
>>>>>> when I power-on a printer that the Windows VM uses via networking
>>>>>> I get the below AVC alert. Anyone have any idea what is going on?
>>>>>> I haven't noticed anything not working.
>>>>>>
>>>>>
>>>>> Is it a USB printer?
>>>>
>>>> The host is using a USB connection with CUPS. The printer also has a
>>>> network interface, and I let Windows machines (both real and VM) use
>>>> it directly via the network rather than setting up Samba print sharing.
>>>
>>> I find I get this alert even on a fresh boot of the host with no VMs
>>> and no virt-manager running. Only the libvirtd service is running.
>>> Looking up the reported inode number, I find /dev/bus/usb/003/002:
>>>
>>
>> Could you open a new bug against libvirt? It should be relabaled back to
>> the default label if there are no running VMs.
>
> It turns out that's not the issue. I must have been mistaken when I said
> the AVC denial occurred with no VMs running. I only see the problem when
> a VM _is_ running. The USB device is not a printer, but a USB sound
> device that I use with VMs because I've never been able to sound
> passthrough to the hosts pulseaudio working. It appears that udev-
> configure-printer tries to examine all USB devices when I turn on a
> printer, and I get the SELinux denials for any USB device that is in
> use by a VM. I'm reluctant to DONTAUDIT this out of fear that one day
> it will be hiding something I would need to see to identify a problem,
> but it looks like that's my only choice other than mentally ignoring
> the alerts.
>
> Actually, any pointers to getting audio passthrough to the hosts
> pulseaudio from a QEMU/KVM VM using a Spice connection would be
> appreciated. The pulseaudio developers are strongly opposed to
> letting anything except the current X session use the audio.
>
I would ask virtual folks.
>>> # ls -Z /dev/bus/usb/003/002
>>> crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c68,c582
>>> /dev/bus/usb/003/002
>>> # lsof /dev/bus/usb/003/002
>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>>> qemu-kvm 4370 qemu 28u CHR 189,257 0t271 10937
>>> /dev/bus/usb/003/002
>>>
>>> If there are no other suggestions, I'm going to DONTAUDIT this to get
>>> it out of my hair.
>>>
>>>>>> SELinux is preventing /lib/udev/udev-configure-printer from read
>>>>>> access
>>>>>> on the chr_file 003.
>>>>>>
>>>>>> ***** Plugin catchall (100. confidence) suggests
>>>>>> ***************************
>>>>>>
>>>>>> If you believe that udev-configure-printer should be allowed read
>>>>>> access
>>>>>> on the 003 chr_file by default.
>>>>>> Then you should report this as a bug.
>>>>>> You can generate a local policy module to allow this access.
>>>>>> Do
>>>>>> allow this access for now by executing:
>>>>>> # grep udev-configure- /var/log/audit/audit.log | audit2allow -M
>>>>>> mypol
>>>>>> # semodule -i mypol.pp
>>>>>>
>>>>>> Additional Information:
>>>>>> Source Context system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
>>>>>> Target Context
>>>>>> system_u:object_r:svirt_image_t:s0:c255,c554
>>>>>> Target Objects 003 [ chr_file ]
>>>>>> Source udev-configure-
>>>>>> Source Path /lib/udev/udev-configure-printer
>>>>>> Port <Unknown>
>>>>>> Host omega-3g.local
>>>>>> Source RPM Packages system-config-printer-udev-1.1.16-25.el6.x86_64
>>>>>> Target RPM Packages
>>>>>> Policy RPM
>>>>>> selinux-policy-3.7.19-279.el6_7.8.noarch
>>>>>> Selinux Enabled True
>>>>>> Policy Type targeted
>>>>>> Enforcing Mode Enforcing
>>>>>> Host Name omega-3g.local
>>>>>> Platform Linux omega-3g.local
>>>>>> 3.18.21-16.el6.x86_64
>>>>>> #1 SMP
>>>>>> Sat Sep 26 01:24:19 UTC 2015 x86_64
>>>>>> x86_64
>>>>>> Alert Count 1
>>>>>> First Seen Sat 13 Feb 2016 06:18:29 PM CST
>>>>>> Last Seen Sat 13 Feb 2016 06:18:29 PM CST
>>>>>> Local ID c3c9d30e-0835-4402-b342-acddd26e1686
>>>>>>
>>>>>> Raw Audit Messages
>>>>>> type=AVC msg=audit(1455409109.607:29449): avc: denied { read } for
>>>>>> pid=32326 comm="udev-configure-" name="003" dev="devtmpfs" ino=2706
>>>>>> scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
>>>>>> tcontext=system_u:object_r:svirt_image_t:s0:c255,c554 tclass=chr_file
>>>>>> permissive=0
>>>>>>
>>>>>>
>>>>>> type=SYSCALL msg=audit(1455409109.607:29449): arch=x86_64
>>>>>> syscall=open
>>>>>> success=no exit=EACCES a0=7ffe1bd16eb0 a1=0 a2=d a3=0 items=0 ppid=1
>>>>>> pid=32326 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=udev-configure-
>>>>>> exe=/lib/udev/udev-configure-printer
>>>>>> subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)
>>>>>>
>>>>>> Hash: udev-configure-,cupsd_config_t,svirt_image_t,chr_file,read
>
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
