Bug 518663

Summary: selinux policy prevents virt-manager from running existing and creating new VM
Product: [Fedora] Fedora Reporter: Jurgen Kramer <gtmkramer>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: mishu
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.6.12-80.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-28 21:57:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
SELinux prevented pt_chown from using the terminal 3 -> AVC
none
SELinux prevented qemu-kvm from using the terminal 1. Count=1
none
SELinux is preventing pt_chown (ptchown_t) "read write" ptmx_t. Count=4
none
SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t. Count=2
none
SELinux is preventing pt_chown (ptchown_t) "fsetid" ptchown_t. Count=1 none

Description Jurgen Kramer 2009-08-21 14:58:37 UTC
Description of problem:
When trying to create a new VM using virt-manager I got a few AVC messages preventing virt-manager from completing the creation.

Version-Release number of selected component (if applicable):
virt-manager-0.7.0-5.fc11.x86_64
selinux-policy-3.6.12-72.fc11.noarch
selinux-policy-targeted-3.6.12-72.fc11.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

When trying to run an existing VM I get a error box with a python traceback from virt-manager:

Error starting domain: internal error unable to start guest: qemu: could not open monitor device 'pty'

Contents:

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/engine.py", line 493, in run_domain
    vm.startup()
  File "/usr/share/virt-manager/virtManager/domain.py", line 573, in startup
    self.vm.create()
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 287, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty'

The corresponding avc message is attached.

Comment 1 Jurgen Kramer 2009-08-21 15:00:46 UTC
Sorry, did not complete al the fields :(.

How reproducible:
always

Steps to Reproduce:
1. Start virt-manager
2. Select existing VM Open and Run
3. error message appears.

Expected results:
No AVC messages, working VM.

Comment 2 Jurgen Kramer 2009-08-21 15:05:49 UTC
When (trying to) create a new VM virt-manager stops when trying to create the domain. Due to:

SELinux prevented pt_chown from using the terminal 3.

virt-manager error message:
Unable to complete install: 'internal error unable to start guest: qemu: could not open monitor device 'pty'

Contents:

Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: qemu: could not open monitor device 'pty'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1501, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 974, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty'
'

selinux avc attached as attachment 2 [details].

Comment 3 Jurgen Kramer 2009-08-21 15:06:35 UTC
Created attachment 358255 [details]
SELinux prevented pt_chown from using the terminal 3 -> AVC

attachment 2 [details]. SELinux prevented pt_chown from using the terminal 3.

Comment 4 Jurgen Kramer 2009-08-23 11:59:04 UTC
Retested with updated policies:

selinux-policy-targeted-3.6.12-78.fc11.noarch
selinux-policy-3.6.12-78.fc11.noarch

Starting an existing VM now works again but produces 6 different AVC's with a total cpunt of 11 AVC's...

I've attached all the sealert messages.

Creating a new VM now also works again, triggers all the same AVC's.

Comment 5 Jurgen Kramer 2009-08-23 12:00:46 UTC
Created attachment 358350 [details]
SELinux prevented qemu-kvm from using the terminal 1. Count=1

SELinux prevented qemu-kvm from using the terminal 1. Count=1

Comment 6 Jurgen Kramer 2009-08-23 12:01:26 UTC
Created attachment 358351 [details]
SELinux is preventing pt_chown (ptchown_t) "read write" ptmx_t. Count=4

SELinux is preventing pt_chown (ptchown_t) "read write" ptmx_t. Count=4

Comment 7 Jurgen Kramer 2009-08-23 12:02:21 UTC
Created attachment 358352 [details]
SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t. Count=2

SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t. Count=2

Comment 8 Jurgen Kramer 2009-08-23 12:03:07 UTC
Created attachment 358353 [details]
SELinux is preventing pt_chown (ptchown_t) "fsetid" ptchown_t. Count=1

SELinux is preventing pt_chown (ptchown_t) "fsetid" ptchown_t. Count=1

Comment 9 Daniel Walsh 2009-08-23 16:46:03 UTC
Edit /etc/fstab 

and make devpts like look like

devpts                  /dev/pts                devpts  gid=5,mode=620  0 0


Then execute mount -a

Should fix your problem.

F11 anaconda was supposed to put this line in, and this is triggering the other errors.  

Miroslav, grab the latest pt_chown policy from Rawhide and update F11.

Comment 10 Miroslav Grepl 2009-08-23 18:15:02 UTC
I have fixed this in selinux-policy-3.6.12-79.fc11. I am going to push out a new F11 update tomorrow.

Available from Koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=128076

Comment 11 Fedora Update System 2009-08-24 15:44:57 UTC
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-80.fc11

Comment 12 Jurgen Kramer 2009-08-24 15:47:26 UTC
I've modified my fstab as suggested by Daniel and updated to the new policy from koji. After a reboot, virt-manager runs clean, no more avc. Thanks.

Comment 13 Fedora Update System 2009-08-25 04:26:40 UTC
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895

Comment 14 Fedora Update System 2009-08-28 21:56:39 UTC
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.