<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr"> Hi Michael, Thanks for looking at the submission. I've made the proposed changes and can verify that the fix works. :) <div>There error has gone away with the container starting. Below is a snippet of the device node from the intermediate mount namespace that eventually ends up target container's mount namespace: <div>$ sudo nsenter -t 7397 -m # ls -laZ /var/run/libvirt/lxc/lxc_0.dev/bus/usb/001/002 crwx------. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c600,c910 189, 1 Jan 23 14:55 /var/run/libvirt/lxc/lxc_0.dev/bus/usb/001/002</div> </div> Thanks, Randy <div style="color: rgb(0, 0, 0);"> <hr style="display:inline-block;width:98%" tabindex="-1"> <div id="divRplyFwdMsg" dir="ltr">From: Michal Privoznik <mprivozn@redhat.com> Sent: Friday, January 19, 2018 11:19 AM To: Randy Aybar; libvir-list@redhat.com Subject: Re: [libvirt] Libvirt fails to apply security context to fd/node to USB device <div> </div> </div> <div class="BodyFragment"> <div class="PlainText">On 01/16/2018 07:20 PM, Randy Aybar wrote: > Hi, > > > I'm attempting to attach and expose a USB device (WiFi adapter for testing) to an LXC container with SELinux enabled. But when enabling the XML snippet, the container fails to start with this error: > > > 2018-01-12 19:24:31.914+0000: 2181: error : virSecuritySELinuxSetFileconHelper:1182 : unable to set security context 'system_u:object_r:svirt_sandbox_file_t:s0:c139,c284' on '//var/run/libvirt/lxc/lxc_0.dev/bus/usb//dev/bus/usb/002/002': No such file or directory > > Failure in libvirt_lxc startup: unable to set security context 'system_u:object_r:svirt_sandbox_file_t:s0:c139,c284' on '//var/run/libvirt/lxc/lxc_0.dev/bus/usb//dev/bus/usb/002/002': No such file or directory Yes, this is a libvirt bug. And your analysis is coorect. The problem is: 1) in virLXCControllerSetupHostdevSubsysUSB the first part of path is constructed: vroot = /var/run/libvirt/lxc/lxc_0.dev/bus/usb 2) then, virSecurityManagerSetHostdevLabel() is called, which subsequently calls virSecuritySELinuxSetHostdevSubsysLabel(). 3) The SELinuxSetHostdevSubsysLabel() calls virUSBDeviceNew(..,vroot) where vroot is the path from step 1). The virUSBDeviceNew then does: if (virAsprintf(&dev->path, "%s" USB_DEVFS "%03d/%03d", vroot ? vroot : "", dev->bus, dev->dev) < 0) { virUSBDeviceFree(dev); return NULL; } where USB_DEVFS is defined as: # define USB_DEVFS "/dev/bus/usb/" So in the end, dev->path contains the path that you're seeing. I think this the fix: diff --git a/src/util/virusb.c b/src/util/virusb.c index 6359235ff..99ee08657 100644 --- a/src/util/virusb.c +++ b/src/util/virusb.c @@ -343,9 +343,9 @@ virUSBDeviceNew(unsigned int bus, virUSBDeviceFree(dev); return NULL; } - if (virAsprintf(&dev->path, "%s" USB_DEVFS "%03d/%03d", - vroot ? vroot : "", - dev->bus, dev->dev) < 0) { + + if ((vroot && virAsprintf(&dev->path, "%s/%03d/%03d", vroot, dev->bus, dev->dev) < 0) || + (!vroot && virAsprintf(&dev->path, USB_DEVFS "%03d/%03d", dev->bus, dev->dev) < 0)) { virUSBDeviceFree(dev); return NULL; } (of course after breaking down the long lines). Can you please test it? Michal </div> </div> </div> </div> </body> </html>