Summary:
SELinux is preventing /usr/libexec/pt_chown access to a leaked
/var/lib/libvirt/images/Fedora12Beta.img file descriptor.
Detailed Description:
[SELinux is in permissive mode. This access was not denied.]
SELinux denied access requested by the pt_chown command. It looks like this is
either a leaked descriptor or pt_chown output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /var/lib/libvirt/images/Fedora12Beta.img. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Additional Information:
Source Context system_u:system_r:ptchown_t:s0:c8,c783
Target Context system_u:object_r:svirt_image_t:s0:c8,c783
Target Objects /var/lib/libvirt/images/Fedora12Beta.img [ file ]
Source pt_chown
Source Path /usr/libexec/pt_chown
Port <Unknown>
Host (removed)
Source RPM Packages glibc-common-2.10.90-25
Target RPM Packages
Policy RPM selinux-policy-3.6.32-27.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name leaks
Host Name (removed)
Platform Linux (removed) 2.6.31.1-56.fc12.x86_64
#1 SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64
Alert Count 3
First Seen Wed 21 Oct 2009 10:08:48 PM CEST
Last Seen Wed 21 Oct 2009 10:08:48 PM CEST
Local ID fb3c42a4-1e94-4adf-9074-e7e2060a39e9
Line Numbers
Raw Audit Messages
node=(removed) type=AVC msg=audit(1256155728.116:88): avc: denied { read write } for pid=31233 comm="pt_chown" path="/var/lib/libvirt/images/Fedora12Beta.img" dev=sda8 ino=132856 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:object_r:svirt_image_t:s0:c8,c783 tclass=file
node=(removed) type=AVC msg=audit(1256155728.116:88): avc: denied { read write } for pid=31233 comm="pt_chown" path="socket:[92458]" dev=sockfs ino=92458 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:system_r:svirt_t:s0:c8,c783 tclass=unix_stream_socket
node=(removed) type=AVC msg=audit(1256155728.116:88): avc: denied { read write } for pid=31233 comm="pt_chown" path="/dev/net/tun" dev=tmpfs ino=6436 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
node=(removed) type=SYSCALL msg=audit(1256155728.116:88): arch=c000003e syscall=59 success=yes exit=0 a0=32a8341869 a1=7fffdb7453e0 a2=0 a3=32a9018230 items=0 ppid=31231 pid=31233 auid=4294967295 uid=107 gid=107 euid=0 suid=0 fsuid=0 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=system_u:system_r:ptchown_t:s0:c8,c783 key=(null)
Hash String generated from selinux-policy-3.6.32-27.fc12,leaks,pt_chown,ptchown_t,svirt_image_t,file,read,write
audit2allow suggests:
#============= ptchown_t ==============
allow ptchown_t svirt_image_t:file { read write };
allow ptchown_t svirt_t:unix_stream_socket { read write };
allow ptchown_t tun_tap_device_t:chr_file { read write };
This is a leaked file descriptor from qemu which should be changed.
But the error is caused by a bad entry in your /etc/fstab, that was introduced in F11.
Your /etc/fstab devpts line should look like
grep devpts /etc/fstab
devpts /dev/pts devpts gid=5,mode=620 0 0
Otherwise svirt through glibc will attempt to fix the labeling of the pty. Fixing this and executing mount -a should fix the problem.
The leaked file descriptor issue is tracked by bug #528134
The underlying issue with devpts in /dev/pts is bug #515521
*** This bug has been marked as a duplicate of bug 515521 ***