Bug 517621

Summary: SELinux prevented pt_chown from using the terminal 3.
Product: [Fedora] Fedora Reporter: Sascha Thomas Spreitzer <sascha>
Component: kvmAssignee: Glauber Costa <gcosta>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 11CC: berrange, clalance, ehabkost, gcosta, markmc, quintela, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-18 06:46:58 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Sascha Thomas Spreitzer 2009-08-15 05:03:43 EDT
Description of problem:
SELinux prevented pt_chown from using the terminal 3.
SELinux prevented pt_chown from using the terminal 3. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a bug report against this selinux-policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean. 

Version-Release number of selected component (if applicable):
[~]$ rpm -qa|grep -i kvm
qemu-kvm-0.10.5-3.fc11.x86_64
etherboot-zroms-kvm-5.4.4-16.fc11.noarch
[~]$ rpm -qa|grep -i virt
libvirt-0.6.2-13.fc11.x86_64
virt-viewer-0.0.3-6.fc11.x86_64
python-virtinst-0.400.3-8.fc11.noarch
virt-manager-0.7.0-5.fc11.x86_64
virt-top-1.0.3-4.fc11.x86_64
libvirt-python-0.6.2-13.fc11.x86_64
[~]$ rpm -qa|grep -i selinux
libselinux-2.0.80-1.fc11.x86_64
libselinux-debuginfo-2.0.80-1.fc11.x86_64
libselinux-2.0.80-1.fc11.i586
libselinux-devel-2.0.80-1.fc11.x86_64
selinux-policy-3.6.12-72.fc11.noarch
libselinux-python-2.0.80-1.fc11.x86_64
libselinux-utils-2.0.80-1.fc11.x86_64
selinux-policy-targeted-3.6.12-72.fc11.noarch


How reproducible:
Everytime powering on a VM.

Steps to Reproduce:
1. Start libvirtd
2. Open virt-manager
3. Open VM
4. Start VM
  
Actual results:
SElinux prevents VM from powering on.

Expected results:
VM should start.

Additional info:

Setting the recommended persistent sebool does NOT work!
-> 
[~]$ getsebool allow_daemons_use_tty
allow_daemons_use_tty --> on

audit.log:

node=badcat type=AVC msg=audit(1250325927.405:47): avc: denied { setattr } for pid=6193 comm="pt_chown" name="3" dev=devpts ino=6 scontext=system_u:system_r:svirt_t:s0:c52,c941 tcontext=system_u:object_r:devpts_t:s0:c52,c941 tclass=chr_file 

node=badcat type=SYSCALL msg=audit(1250325927.405:47): arch=c000003e syscall=92 success=no exit=-35930152 a0=7f89b806c1d0 a1=0 a2=5 a3=7fff8ffe7ec0 items=0 ppid=6188 pid=6193 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=system_u:system_r:svirt_t:s0:c52,c941 key=(null)
Comment 1 Mark McLoughlin 2009-08-18 06:46:58 EDT
Thanks for the report

Please try https://admin.fedoraproject.org/updates/F11/FEDORA-2009-8536 from updates-testing

*** This bug has been marked as a duplicate of bug 515521 ***