Bug 785411

Summary: SELinux is preventing /usr/libexec/libvirt_lxc from 'execute' accesses on the None /usr/libexec/pt_chown.
Product: [Fedora] Fedora Reporter: Robin Green <greenrd>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: berrange, clalancette, crobinso, dominick.grift, dougsland, dwalsh, eblake, itamar, jforbes, laine, libvirt-maint, mgrepl, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:89925e5f6c0f711f71c9fbc1e11cc62ece75311612128c088471937225b2fa03
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-05 23:44:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robin Green 2012-01-28 19:24:47 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.2-1.fc16.x86_64
reason:         SELinux is preventing /usr/libexec/libvirt_lxc from 'execute' accesses on the None /usr/libexec/pt_chown.
time:           Sat 28 Jan 2012 07:24:26 PM GMT

description:
:SELinux is preventing /usr/libexec/libvirt_lxc from 'execute' accesses on the None /usr/libexec/pt_chown.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that libvirt_lxc should be allowed execute access on the pt_chown <Unknown> by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep libvirt_lxc /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:ptchown_exec_t:s0
:Target Objects                /usr/libexec/pt_chown [ None ]
:Source                        libvirt_lxc
:Source Path                   /usr/libexec/libvirt_lxc
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    <Unknown>
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.2-1.fc16.x86_64 #1 SMP Thu Jan
:                              26 03:21:58 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Sat 28 Jan 2012 07:22:19 PM GMT
:Last Seen                     Sat 28 Jan 2012 07:22:19 PM GMT
:Local ID                      61f7501b-d0bc-43fa-98f1-acdd09437aa1
:
:Raw Audit Messages
:type=AVC msg=audit(1327778539.344:280): avc:  denied  { execute } for  pid=6993 comm="libvirt_lxc" name="pt_chown" dev=dm-1 ino=21673 scontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1327778539.344:280): arch=c000003e syscall=59 success=no exit=-13 a0=306bd73955 a1=7fff5ac44af0 a2=0 a3=0 items=0 ppid=6975 pid=6993 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirt_lxc" exe="/usr/libexec/libvirt_lxc" subj=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 key=(null)
:
:
:Hash: libvirt_lxc,virtd_lxc_t,ptchown_exec_t,None,execute
:
:audit2allow
:
:
:audit2allow -R
:
:
Comment 1 Daniel Walsh 2012-01-28 19:43:52 UTC 
Does not seem like something libvirt_lxc should be doing.
Comment 2 Cole Robinson 2012-06-07 19:58:20 UTC 
Robin, can you provide more info about what you were doing when this issue popped up?

/usr/libexec/pt_chown comes from glibc-common FYI, so probably a side effect of some stdlib call?
Comment 3 Eric Blake 2012-06-07 20:19:22 UTC 
libvirt_lxc MUST create ptys in the LXC that are owned by the new namespace.  However, we recently modified the container pty creation to bypass glibc (glibc's pt implementation is not namespace aware):

commit 80710c69fee323870b2a8239d93c5e5dddf28366
Author: Serge E. Hallyn <serge.hallyn>
Date:   Tue Oct 18 20:39:57 2011 -0500

    lxc: use hand-rolled code in place of unlockpt and grantpt
    
    The glibc ones (intentionally) cannot handle ptys opened in a
    devpts not mounted at /dev/pts.
    
    Drop the (un-exported, unused) virFileOpenTtyAt.
    
    Signed-off-by: Serge Hallyn <serge.hallyn>
    Signed-off-by: Eric Blake <eblake>

I think F17 is immune as a result.  For now, I'm marking this POST, in case backporting just this one patch is easy for F16, but if it turns out to be difficult, we may just mark it as WONTFIX for F16 (after all, we have a number of other LXC usability issues in F16 that we won't be fixing, but recommend F17 instead).
Comment 4 Fedora Update System 2012-06-24 23:55:07 UTC 
libvirt-0.9.6.1-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/libvirt-0.9.6.1-1.fc16
Comment 5 Fedora Update System 2012-06-26 00:55:42 UTC 
Package libvirt-0.9.6.1-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libvirt-0.9.6.1-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9913/libvirt-0.9.6.1-1.fc16
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-07-05 23:44:51 UTC 
libvirt-0.9.6.1-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.