[Fedora-xen] Problem Having Fedora 10 Guest See USB Devices (AVC Denied Message, Too...)

Robert L Cochran cochranb at speakeasy.net
Sat Dec 20 19:23:56 UTC 2008 

I have a Fedora 10 x86_64 host running a Fedora 10 x86_64 guest under
KVM. I want to be able to plug a USB flash drive in and have the guest
able to read and write to that device. According to the libvirt.org XML
format suggestions, the way to that is with a <hostdev> container. Here
is how I added it to the xml for my guest machine. Note that this
doesn't mean I added it correctly, though:

<domain type='kvm'>
  <name>fedora10x64</name>
  <uuid>33e7e731-4e18-dd90-222e-b1df83a76cad</uuid>
  <memory>2097152</memory>
  <currentMemory>2097152</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset="localtime"/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <source file='/var/lib/libvirt/images/fedora10x64.img'/>
      <target dev='vda' bus='virtio'/>
    </disk>
    <interface type='bridge'>
      <source bridge='br0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target port='0'/>
    </console>
    <hostdev mode='subsystem' type='usb'>
         <source>
            <vendor id='0x12f7'/>
            <product id='0x1a00'/>
         </source>
    </hostdev>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes' keymap='en-us'/>
    <sound model='es1370'/>
  </devices>
</domain>


When I launch Virtual Machine Manager, open the Fedora 10 guest, and
click the Run button, I get an immediate AVC denied message.

Dec 20 13:54:45 deafeng3 setroubleshoot: SELinux is preventing qemu
(qemu-kvm) "read" to ./devices (usbfs_t). For complete SELinux messages.
run sealert -l 33327e80-28c3-460a-a759-dfae737c863b

Here are the `sealert` details:

[root at deafeng3 qemu]# sealert -l 33327e80-28c3-460a-a759-dfae737c863b

Summary:

SELinux is preventing qemu (qemu-kvm) "read" to ./devices (usbfs_t).

Detailed Description:

SELinux denied qemu access to ./devices. If this is a virtualization
image, it
has to have a file context label of virt_image_t. The system is setup to
label
image files in directory./var/lib/libvirt/images correctly. We recommend
that
you copy your image file to /var/lib/libvirt/images. If you really want
to have
your qemu image files in the current directory, you can relabel
./devices to be
virt_image_t using chcon. You also need to execute semanage fcontext -a -t
virt_image_t './devices' to add this new path to the system defaults. If
you did
not intend to use ./devices as a qemu image it could indicate either a
bug or an
intrusion attempt.

Allowing Access:

You can alter the file context by executing chcon -t virt_image_t
'./devices'
You must also change the default file context files on the system in
order to
preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t
'./devices'"

Fix Command:

chcon -t virt_image_t './devices'

Additional Information:

Source Context                system_u:system_r:qemu_t:s0
Target Context                system_u:object_r:usbfs_t:s0
Target Objects                ./devices [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          deafeng3.signtype.info
Source RPM Packages           kvm-74-6.fc10
Target RPM Packages          
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   qemu_file_image
Host Name                     deafeng3.signtype.info
Platform                      Linux deafeng3.signtype.info
                              2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1
22:21:35
                              EST 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Fri Dec 19 11:01:52 2008
Last Seen                     Sat Dec 20 13:54:45 2008
Local ID                      33327e80-28c3-460a-a759-dfae737c863b
Line Numbers                 

Raw Audit Messages           

node=deafeng3.signtype.info type=AVC msg=audit(1229799285.706:69): avc: 
denied  { read } for  pid=4276 comm="qemu-kvm" name="devices" dev=usbfs
ino=341 scontext=system_u:system_r:qemu_t:s0
tcontext=system_u:object_r:usbfs_t:s0 tclass=file

node=deafeng3.signtype.info type=SYSCALL msg=audit(1229799285.706:69):
arch=c000003e syscall=2 success=no exit=-13 a0=54c733 a1=0 a2=1b6
a3=7fe48d8d16f0 items=0 ppid=2903 pid=4276 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0
key=(null)

Is there a way to fix this so I can have my Fedora 10 guest read and
write to USB devices?

Thanks

Bob Cochran

More information about the Fedora-xen mailing list