I have a Fedora 10 x86_64 host running a Fedora 10 x86_64 guest under KVM. I want to be able to plug a USB flash drive in and have the guest able to read and write to that device. According to the libvirt.org XML format suggestions, the way to that is with a <hostdev> container. Here is how I added it to the xml for my guest machine. Note that this doesn't mean I added it correctly, though: <domain type='kvm'> <name>fedora10x64</name> <uuid>33e7e731-4e18-dd90-222e-b1df83a76cad</uuid> <memory>2097152</memory> <currentMemory>2097152</currentMemory> <vcpu>1</vcpu> <os> <type arch='x86_64' machine='pc'>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offset="localtime"/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <emulator>/usr/bin/qemu-kvm</emulator> <disk type='file' device='disk'> <source file='/var/lib/libvirt/images/fedora10x64.img'/> <target dev='vda' bus='virtio'/> </disk> <interface type='bridge'> <source bridge='br0'/> </interface> <serial type='pty'> <target port='0'/> </serial> <console type='pty'> <target port='0'/> </console> <hostdev mode='subsystem' type='usb'> <source> <vendor id='0x12f7'/> <product id='0x1a00'/> </source> </hostdev> <input type='mouse' bus='ps2'/> <graphics type='vnc' port='-1' autoport='yes' keymap='en-us'/> <sound model='es1370'/> </devices> </domain> When I launch Virtual Machine Manager, open the Fedora 10 guest, and click the Run button, I get an immediate AVC denied message. Dec 20 13:54:45 deafeng3 setroubleshoot: SELinux is preventing qemu (qemu-kvm) "read" to ./devices (usbfs_t). For complete SELinux messages. run sealert -l 33327e80-28c3-460a-a759-dfae737c863b Here are the `sealert` details: [root@deafeng3 qemu]# sealert -l 33327e80-28c3-460a-a759-dfae737c863b Summary: SELinux is preventing qemu (qemu-kvm) "read" to ./devices (usbfs_t). Detailed Description: SELinux denied qemu access to ./devices. If this is a virtualization image, it has to have a file context label of virt_image_t. The system is setup to label image files in directory./var/lib/libvirt/images correctly. We recommend that you copy your image file to /var/lib/libvirt/images. If you really want to have your qemu image files in the current directory, you can relabel ./devices to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t './devices' to add this new path to the system defaults. If you did not intend to use ./devices as a qemu image it could indicate either a bug or an intrusion attempt. Allowing Access: You can alter the file context by executing chcon -t virt_image_t './devices' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t './devices'" Fix Command: chcon -t virt_image_t './devices' Additional Information: Source Context system_u:system_r:qemu_t:s0 Target Context system_u:object_r:usbfs_t:s0 Target Objects ./devices [ file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host deafeng3.signtype.info Source RPM Packages kvm-74-6.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name qemu_file_image Host Name deafeng3.signtype.info Platform Linux deafeng3.signtype.info 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64 Alert Count 3 First Seen Fri Dec 19 11:01:52 2008 Last Seen Sat Dec 20 13:54:45 2008 Local ID 33327e80-28c3-460a-a759-dfae737c863b Line Numbers Raw Audit Messages node=deafeng3.signtype.info type=AVC msg=audit(1229799285.706:69): avc: denied { read } for pid=4276 comm="qemu-kvm" name="devices" dev=usbfs ino=341 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:usbfs_t:s0 tclass=file node=deafeng3.signtype.info type=SYSCALL msg=audit(1229799285.706:69): arch=c000003e syscall=2 success=no exit=-13 a0=54c733 a1=0 a2=1b6 a3=7fe48d8d16f0 items=0 ppid=2903 pid=4276 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) Is there a way to fix this so I can have my Fedora 10 guest read and write to USB devices? Thanks Bob Cochran -- Fedora-xen mailing list Fedora-xen@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-xen