Bug 530192

Summary: SELinux is preventing /usr/libexec/pt_chown access to a leaked /var/lib/libvirt/images/Fedora12Beta.img file descriptor.
Product: [Fedora] Fedora Reporter: Martin Kho <rh-bugzilla>
Component: qemuAssignee: Glauber Costa <gcosta>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: berrange, dwalsh, dwmw2, gcosta, itamar, jaswinder, jforbes, markmc, mgrepl, quintela, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:8bfa4b3a115fc94bc650714b30c0c42b4c6cd09f16a2fadb5eae395fe1d53b4b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-23 13:01:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kho 2009-10-21 20:17:00 UTC 
Summary:

SELinux is preventing /usr/libexec/pt_chown access to a leaked
/var/lib/libvirt/images/Fedora12Beta.img file descriptor.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the pt_chown command. It looks like this is
either a leaked descriptor or pt_chown output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /var/lib/libvirt/images/Fedora12Beta.img. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:ptchown_t:s0:c8,c783
Target Context                system_u:object_r:svirt_image_t:s0:c8,c783
Target Objects                /var/lib/libvirt/images/Fedora12Beta.img [ file ]
Source                        pt_chown
Source Path                   /usr/libexec/pt_chown
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glibc-common-2.10.90-25
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-27.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.1-56.fc12.x86_64
                              #1 SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 21 Oct 2009 10:08:48 PM CEST
Last Seen                     Wed 21 Oct 2009 10:08:48 PM CEST
Local ID                      fb3c42a4-1e94-4adf-9074-e7e2060a39e9
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1256155728.116:88): avc:  denied  { read write } for  pid=31233 comm="pt_chown" path="/var/lib/libvirt/images/Fedora12Beta.img" dev=sda8 ino=132856 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:object_r:svirt_image_t:s0:c8,c783 tclass=file

node=(removed) type=AVC msg=audit(1256155728.116:88): avc:  denied  { read write } for  pid=31233 comm="pt_chown" path="socket:[92458]" dev=sockfs ino=92458 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:system_r:svirt_t:s0:c8,c783 tclass=unix_stream_socket

node=(removed) type=AVC msg=audit(1256155728.116:88): avc:  denied  { read write } for  pid=31233 comm="pt_chown" path="/dev/net/tun" dev=tmpfs ino=6436 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1256155728.116:88): arch=c000003e syscall=59 success=yes exit=0 a0=32a8341869 a1=7fffdb7453e0 a2=0 a3=32a9018230 items=0 ppid=31231 pid=31233 auid=4294967295 uid=107 gid=107 euid=0 suid=0 fsuid=0 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=system_u:system_r:ptchown_t:s0:c8,c783 key=(null)



Hash String generated from  selinux-policy-3.6.32-27.fc12,leaks,pt_chown,ptchown_t,svirt_image_t,file,read,write
audit2allow suggests:

#============= ptchown_t ==============
allow ptchown_t svirt_image_t:file { read write };
allow ptchown_t svirt_t:unix_stream_socket { read write };
allow ptchown_t tun_tap_device_t:chr_file { read write };
Comment 1 Daniel Walsh 2009-10-21 20:50:09 UTC 
This is a leaked file descriptor from qemu which should be changed.

But the error is caused by a bad entry in your /etc/fstab, that was introduced in F11.

Your /etc/fstab devpts line should look like

grep devpts /etc/fstab 
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0

Otherwise svirt through glibc will attempt to fix the labeling of the pty.  Fixing this and executing mount -a should fix the problem.
Comment 2 Daniel Walsh 2009-10-21 20:50:52 UTC 
*** Bug 530191 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2009-10-21 20:51:10 UTC 
*** Bug 530189 has been marked as a duplicate of this bug. ***
Comment 4 Martin Kho 2009-10-21 21:13:33 UTC 
Hi,

Thanks, it fixed it.

Martin Kho
Comment 5 Mark McLoughlin 2009-10-23 13:01:32 UTC 
The leaked file descriptor issue is tracked by bug #528134

The underlying issue with devpts in /dev/pts is bug #515521

*** This bug has been marked as a duplicate of bug 515521 ***