[Fedora-xen] Problem Having Fedora 10 Guest See USB Devices (AVC Denied Message, Too...)
Robert L Cochran
cochranb at speakeasy.net
Sat Dec 20 19:23:56 UTC 2008
I have a Fedora 10 x86_64 host running a Fedora 10 x86_64 guest under
KVM. I want to be able to plug a USB flash drive in and have the guest
able to read and write to that device. According to the libvirt.org XML
format suggestions, the way to that is with a <hostdev> container. Here
is how I added it to the xml for my guest machine. Note that this
doesn't mean I added it correctly, though:
<domain type='kvm'>
<name>fedora10x64</name>
<uuid>33e7e731-4e18-dd90-222e-b1df83a76cad</uuid>
<memory>2097152</memory>
<currentMemory>2097152</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset="localtime"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/qemu-kvm</emulator>
<disk type='file' device='disk'>
<source file='/var/lib/libvirt/images/fedora10x64.img'/>
<target dev='vda' bus='virtio'/>
</disk>
<interface type='bridge'>
<source bridge='br0'/>
</interface>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target port='0'/>
</console>
<hostdev mode='subsystem' type='usb'>
<source>
<vendor id='0x12f7'/>
<product id='0x1a00'/>
</source>
</hostdev>
<input type='mouse' bus='ps2'/>
<graphics type='vnc' port='-1' autoport='yes' keymap='en-us'/>
<sound model='es1370'/>
</devices>
</domain>
When I launch Virtual Machine Manager, open the Fedora 10 guest, and
click the Run button, I get an immediate AVC denied message.
Dec 20 13:54:45 deafeng3 setroubleshoot: SELinux is preventing qemu
(qemu-kvm) "read" to ./devices (usbfs_t). For complete SELinux messages.
run sealert -l 33327e80-28c3-460a-a759-dfae737c863b
Here are the `sealert` details:
[root at deafeng3 qemu]# sealert -l 33327e80-28c3-460a-a759-dfae737c863b
Summary:
SELinux is preventing qemu (qemu-kvm) "read" to ./devices (usbfs_t).
Detailed Description:
SELinux denied qemu access to ./devices. If this is a virtualization
image, it
has to have a file context label of virt_image_t. The system is setup to
label
image files in directory./var/lib/libvirt/images correctly. We recommend
that
you copy your image file to /var/lib/libvirt/images. If you really want
to have
your qemu image files in the current directory, you can relabel
./devices to be
virt_image_t using chcon. You also need to execute semanage fcontext -a -t
virt_image_t './devices' to add this new path to the system defaults. If
you did
not intend to use ./devices as a qemu image it could indicate either a
bug or an
intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -t virt_image_t
'./devices'
You must also change the default file context files on the system in
order to
preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t
'./devices'"
Fix Command:
chcon -t virt_image_t './devices'
Additional Information:
Source Context system_u:system_r:qemu_t:s0
Target Context system_u:object_r:usbfs_t:s0
Target Objects ./devices [ file ]
Source qemu-kvm
Source Path /usr/bin/qemu-kvm
Port <Unknown>
Host deafeng3.signtype.info
Source RPM Packages kvm-74-6.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-34.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name qemu_file_image
Host Name deafeng3.signtype.info
Platform Linux deafeng3.signtype.info
2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1
22:21:35
EST 2008 x86_64 x86_64
Alert Count 3
First Seen Fri Dec 19 11:01:52 2008
Last Seen Sat Dec 20 13:54:45 2008
Local ID 33327e80-28c3-460a-a759-dfae737c863b
Line Numbers
Raw Audit Messages
node=deafeng3.signtype.info type=AVC msg=audit(1229799285.706:69): avc:
denied { read } for pid=4276 comm="qemu-kvm" name="devices" dev=usbfs
ino=341 scontext=system_u:system_r:qemu_t:s0
tcontext=system_u:object_r:usbfs_t:s0 tclass=file
node=deafeng3.signtype.info type=SYSCALL msg=audit(1229799285.706:69):
arch=c000003e syscall=2 success=no exit=-13 a0=54c733 a1=0 a2=1b6
a3=7fe48d8d16f0 items=0 ppid=2903 pid=4276 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0
key=(null)
Is there a way to fix this so I can have my Fedora 10 guest read and
write to USB devices?
Thanks
Bob Cochran
More information about the Fedora-xen
mailing list