Bug 840858

Summary: can't connect to virsh console with disabled unconfined module
Product: Red Hat Enterprise Linux 7 Reporter: Petr Lautrbach <plautrba>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:43:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Lautrbach 2012-07-17 12:04:43 UTC 
Description of problem:
I can run and stop virtual machine with virsh command but I can't connect to console:

$ virsh start rawhide
Domain rawhide started

$ virsh console rawhide
Connected to domain rawhide
Escape character is ^]
error: Couldn't create lock file for pty '/dev/pts/18' in path '/var/lock/LCK.._pts_18': Permission denied

# semodule -l | grep unconfined
unconfined      3.3.0   Disabled
unconfineduser  1.0.0

# rpm -q selinux-policy
selinux-policy-3.10.0-137.el7.noarch


AVCs in permissive mode:
----
time->Tue Jul 17 13:52:54 2012
type=SYSCALL msg=audit(1342525974.276:5497): arch=c000003e syscall=2 success=yes exit=20 a0=7fbde0001b30 a1=c1 a2=1a4 a3=c items=0 ppid=1 pid=871 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1342525974.276:5497): avc:  denied  { write open } for  pid=871 comm="libvirtd" name="LCK.._pts_18" dev="tmpfs" ino=35051143 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1342525974.276:5497): avc:  denied  { create } for  pid=871 comm="libvirtd" name="LCK.._pts_18" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1342525974.276:5497): avc:  denied  { add_name } for  pid=871 comm="libvirtd" name="LCK.._pts_18" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1342525974.276:5497): avc:  denied  { write } for  pid=871 comm="libvirtd" name="lock" dev="tmpfs" ino=12303 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
----
time->Tue Jul 17 13:52:54 2012
type=SYSCALL msg=audit(1342525974.276:5496): arch=c000003e syscall=2 success=no exit=-2 a0=7fbde0001b30 a1=0 a2=0 a3=17 items=0 ppid=1 pid=871 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1342525974.276:5496): avc:  denied  { read } for  pid=871 comm="libvirtd" name="lock" dev="dm-1" ino=1573725 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
----
time->Tue Jul 17 13:52:56 2012
type=SYSCALL msg=audit(1342525976.268:5498): arch=c000003e syscall=87 success=yes exit=0 a0=1697de0 a1=0 a2=7fbe0937c728 a3=17 items=0 ppid=1 pid=866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1342525976.268:5498): avc:  denied  { unlink } for  pid=866 comm="libvirtd" name="LCK.._pts_18" dev="tmpfs" ino=35051143 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1342525976.268:5498): avc:  denied  { remove_name } for  pid=866 comm="libvirtd" name="LCK.._pts_18" dev="tmpfs" ino=35051143 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
Comment 1 Daniel Walsh 2012-07-19 17:55:13 UTC 
Are these LCK files in a particular directory?
Comment 2 Petr Lautrbach 2012-07-23 10:49:59 UTC 
According to the error message "Couldn't create lock file for pty '/dev/pts/18' in path '/var/lock/LCK.._pts_18': Permission denied" and configure.ac from libvirt source, they seem to be always located to /var/lock
Comment 3 Daniel Walsh 2012-07-23 15:54:28 UTC 
Ok I added a label for lock files created by libvirt.

Should be fixed in selinux-policy-3.11.0-12.el7
Comment 6 Ludek Smid 2014-06-13 12:43:16 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.