On 02/17/2016 06:45 PM, Robert Nichols wrote:
On 02/15/2016 12:25 PM, Robert Nichols wrote:
> On 02/15/2016 10:03 AM, Miroslav Grepl wrote:
>> On 02/14/2016 01:43 AM, Robert Nichols wrote:
>>> In CentOS 6.7 with Windows 7 running in a QEMU/KVM virtual machine,
>>> when I power-on a printer that the Windows VM uses via networking
>>> I get the below AVC alert. Anyone have any idea what is going on?
>>> I haven't noticed anything not working.
>>>
>>
>> Is it a USB printer?
>
> The host is using a USB connection with CUPS. The printer also has a
> network interface, and I let Windows machines (both real and VM) use
> it directly via the network rather than setting up Samba print sharing.
I find I get this alert even on a fresh boot of the host with no VMs
and no virt-manager running. Only the libvirtd service is running.
Looking up the reported inode number, I find /dev/bus/usb/003/002:
Could you open a new bug against libvirt? It should be relabaled back to
the default label if there are no running VMs.
Thank you.
# ls -Z /dev/bus/usb/003/002
crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c68,c582
/dev/bus/usb/003/002
# lsof /dev/bus/usb/003/002
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
qemu-kvm 4370 qemu 28u CHR 189,257 0t271 10937 /dev/bus/usb/003/002
If there are no other suggestions, I'm going to DONTAUDIT this to get
it out of my hair.
>>> SELinux is preventing /lib/udev/udev-configure-printer from read access
>>> on the chr_file 003.
>>>
>>> ***** Plugin catchall (100. confidence) suggests
>>> ***************************
>>>
>>> If you believe that udev-configure-printer should be allowed read
>>> access
>>> on the 003 chr_file by default.
>>> Then you should report this as a bug.
>>> You can generate a local policy module to allow this access.
>>> Do
>>> allow this access for now by executing:
>>> # grep udev-configure- /var/log/audit/audit.log | audit2allow -M mypol
>>> # semodule -i mypol.pp
>>>
>>> Additional Information:
>>> Source Context system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
>>> Target Context
>>> system_u:object_r:svirt_image_t:s0:c255,c554
>>> Target Objects 003 [ chr_file ]
>>> Source udev-configure-
>>> Source Path /lib/udev/udev-configure-printer
>>> Port <Unknown>
>>> Host omega-3g.local
>>> Source RPM Packages system-config-printer-udev-1.1.16-25.el6.x86_64
>>> Target RPM Packages
>>> Policy RPM selinux-policy-3.7.19-279.el6_7.8.noarch
>>> Selinux Enabled True
>>> Policy Type targeted
>>> Enforcing Mode Enforcing
>>> Host Name omega-3g.local
>>> Platform Linux omega-3g.local
>>> 3.18.21-16.el6.x86_64
>>> #1 SMP
>>> Sat Sep 26 01:24:19 UTC 2015 x86_64
>>> x86_64
>>> Alert Count 1
>>> First Seen Sat 13 Feb 2016 06:18:29 PM CST
>>> Last Seen Sat 13 Feb 2016 06:18:29 PM CST
>>> Local ID c3c9d30e-0835-4402-b342-acddd26e1686
>>>
>>> Raw Audit Messages
>>> type=AVC msg=audit(1455409109.607:29449): avc: denied { read } for
>>> pid=32326 comm="udev-configure-" name="003"
dev="devtmpfs" ino=2706
>>> scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:svirt_image_t:s0:c255,c554 tclass=chr_file
>>> permissive=0
>>>
>>>
>>> type=SYSCALL msg=audit(1455409109.607:29449): arch=x86_64 syscall=open
>>> success=no exit=EACCES a0=7ffe1bd16eb0 a1=0 a2=d a3=0 items=0 ppid=1
>>> pid=32326 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=udev-configure-
>>> exe=/lib/udev/udev-configure-printer
>>> subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)
>>>
>>> Hash: udev-configure-,cupsd_config_t,svirt_image_t,chr_file,read
>>>
>>>
>>>
>>
>>
>
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.