Bug 525581

Summary: SELinux prevented pt_chown from using the terminal 1.
Product: [Fedora] Fedora Reporter: Guy Streeter <streeter>
Component: qemuAssignee: Glauber Costa <gcosta>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 11CC: berrange, dwmw2, gcosta, itamar, jaswinder, jforbes, markmc, nobody, patmans, quintela, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-01 16:30:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Guy Streeter 2009-09-24 21:49:28 UTC 
Summary:

SELinux prevented pt_chown from using the terminal 1.

Detailed Description:

SELinux prevented pt_chown from using the terminal 1. In most cases daemons do
not need to interact with the terminal, usually these avc messages can be
ignored. All of the confined daemons should have dontaudit rules around using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy.
If you would like to allow all daemons to interact with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Fix Command:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c269,c551
Target Context                system_u:object_r:devpts_t:s0:c269,c551
Target Objects                1 [ chr_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          localhost
Source RPM Packages           glibc-common-2.10.1-5
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-82.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_daemons_use_tty
Host Name                     dhcp-64.hsv.redhat.com
Platform                      Linux dhcp-64.hsv.redhat.com
                              2.6.30.5-43.fc11.x86_64 #1 SMP Thu Aug 27 21:39:52
                              EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 24 Sep 2009 04:39:13 PM CDT
Last Seen                     Thu 24 Sep 2009 04:39:13 PM CDT
Local ID                      71316b34-6bac-4107-9420-213b6960cd5f
Line Numbers                  

Raw Audit Messages            

node=localhost type=AVC msg=audit(1253828353.245:75): avc:  denied  { setattr } for  pid=12976 comm="pt_chown" name="1" dev=devpts ino=4 scontext=system_u:system_r:svirt_t:s0:c269,c551 tcontext=system_u:object_r:devpts_t:s0:c269,c551 tclass=chr_file

node=localhost type=SYSCALL msg=audit(1253828353.245:75): arch=c000003e syscall=92 success=no exit=-13 a0=7ffee9a401d0 a1=0 a2=5 a3=7fff78902a90 items=0 ppid=12972 pid=12976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=system_u:system_r:svirt_t:s0:c269,c551 key=(null)
Comment 1 Guy Streeter 2009-09-29 21:04:02 UTC 
using the recommended

setsebool -P allow_daemons_use_tty=1

doesn't help. I still get the selinux violation and am unable to start a new vm.

Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: qemu: could not open monitor device 'pty'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1501, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 974, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty'
Comment 2 Patrick Mansfield 2009-09-30 16:52:25 UTC 
(In reply to comment #1)
> using the recommended
> 
> setsebool -P allow_daemons_use_tty=1
> 
> doesn't help. I still get the selinux violation and am unable to start a new
> vm.

I had a similar problem just now, it was working yesterday.

I rebooted today, and tried to run an existing vm, it failed with the could not open pty, and a selinux alert.

I checked, and allow_daemons_use_tty was on:

[root@palm ~]# getsebool allow_daemons_use_tty
allow_daemons_use_tty --> on

I "set" it again:

[root@palm ~]# setsebool -P allow_daemons_use_tty=1
[root@palm ~]# getsebool allow_daemons_use_tty
allow_daemons_use_tty --> on

And then when I ran the VM it started up *but* I might have still gotten another selinux alert for the pty - I can't tell since I had multiple alerts, and don't know if there are any VM logs that show the time I "ran" the instance.
Comment 3 Guy Streeter 2009-10-01 16:07:06 UTC 
Raising the severity on this as I am unable to use Virtual Machine Manager at all because of it.
Comment 4 Mark McLoughlin 2009-10-01 16:30:54 UTC 
Marking as a duplicate of bug #515521

I think you just need selinux-policy-3.6.12-82.fc11 and the /dev/pts line in /etc/fstab fixed to look like:

devpts     /dev/pts   devpts  gid=5,mode=620   0 0

*** This bug has been marked as a duplicate of bug 515521 ***