[libvirt] Libvirt fails to apply security context to fd/node to USB device

Michal Privoznik mprivozn at redhat.com
Fri Jan 19 16:19:21 UTC 2018


On 01/16/2018 07:20 PM, Randy Aybar wrote:
> Hi,
> 
> 
> I'm attempting to attach and expose a USB device (WiFi adapter for testing) to an LXC container with SELinux enabled. But when enabling the XML snippet, the container fails to start with this error:
> 
> 
> 2018-01-12 19:24:31.914+0000: 2181: error : virSecuritySELinuxSetFileconHelper:1182 : unable to set security context 'system_u:object_r:svirt_sandbox_file_t:s0:c139,c284' on '//var/run/libvirt/lxc/lxc_0.dev/bus/usb//dev/bus/usb/002/002': No such file or directory
> 
> Failure in libvirt_lxc startup: unable to set security context 'system_u:object_r:svirt_sandbox_file_t:s0:c139,c284' on '//var/run/libvirt/lxc/lxc_0.dev/bus/usb//dev/bus/usb/002/002': No such file or directory

Yes, this is a libvirt bug. And your analysis is coorect. The problem is:

1) in virLXCControllerSetupHostdevSubsysUSB the first part of path is
constructed: vroot = /var/run/libvirt/lxc/lxc_0.dev/bus/usb

2) then, virSecurityManagerSetHostdevLabel() is called, which
subsequently calls virSecuritySELinuxSetHostdevSubsysLabel().

3) The SELinuxSetHostdevSubsysLabel() calls virUSBDeviceNew(..,vroot)
where vroot is the path from step 1). The virUSBDeviceNew then does:

    if (virAsprintf(&dev->path, "%s" USB_DEVFS "%03d/%03d",
                    vroot ? vroot : "",
                    dev->bus, dev->dev) < 0) {
        virUSBDeviceFree(dev);
        return NULL;
    }

where USB_DEVFS is defined as:

# define USB_DEVFS "/dev/bus/usb/"

So in the end, dev->path contains the path that you're seeing. I think
this the fix:

diff --git a/src/util/virusb.c b/src/util/virusb.c
index 6359235ff..99ee08657 100644
--- a/src/util/virusb.c
+++ b/src/util/virusb.c
@@ -343,9 +343,9 @@ virUSBDeviceNew(unsigned int bus,
         virUSBDeviceFree(dev);
         return NULL;
     }
-    if (virAsprintf(&dev->path, "%s" USB_DEVFS "%03d/%03d",
-                    vroot ? vroot : "",
-                    dev->bus, dev->dev) < 0) {
+
+    if ((vroot && virAsprintf(&dev->path, "%s/%03d/%03d", vroot, dev->bus, dev->dev) < 0) ||
+        (!vroot && virAsprintf(&dev->path, USB_DEVFS "%03d/%03d", dev->bus, dev->dev) < 0)) {
         virUSBDeviceFree(dev);
         return NULL;
     }

(of course after breaking down the long lines). Can you please test it?

Michal




More information about the libvir-list mailing list