Bug 503421 - setsebool -P allow_daemons_use_tty=1 doesn't work with virtual machine
setsebool -P allow_daemons_use_tty=1 doesn't work with virtual machine
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-31 16:52 EDT by Rene Pilz
Modified: 2009-06-13 16:30 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-13 16:30:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Output of the ausearch-command (590 bytes, text/plain)
2009-06-05 06:07 EDT, Rene Pilz
no flags Details
output of the getsebool-command (you can see, it should be allowed!) (81 bytes, text/plain)
2009-06-05 06:08 EDT, Rene Pilz
no flags Details
the full selinux-alert entry (2.60 KB, text/plain)
2009-06-05 06:09 EDT, Rene Pilz
no flags Details
virtmanager log (I don't know, but this entries are all completely old??) (25.51 KB, application/octet-stream)
2009-06-05 06:09 EDT, Rene Pilz
no flags Details
logfile of the virtual-machine (/var/log/libvirt/qemu/...) (719 bytes, text/plain)
2009-06-05 06:11 EDT, Rene Pilz
no flags Details

  None (edit)
Description Rene Pilz 2009-05-31 16:52:16 EDT
Description of problem:

When configuring a virtual machine (using virt-manager) and adding /dev/ttyS0 to this virtual machine, there always comes a SELinux-Error not removeable.

Version-Release number of selected component (if applicable):
kvm.x86_64                           74-10.fc10                   installed 
libselinux.x86_64                    2.0.78-1.fc10                installed     
selinux-policy-minimum.noarch        3.5.13-59.fc10               updates       
selinux-policy-mls.noarch            3.5.13-59.fc10               updates       


How reproducible:
each time

Steps to Reproduce:
1. configuring a virtual machine,
2. adding /dev/ttyS0 to this machine
3. start the machine

Sniplet of /etc/libvirt/qemu/<virtual-machine-config>:
<serial type="dev">
        <source path="/dev/ttyS0"/>
        <target port="0"/>
      </serial>


Actual results:

The SELinux-Alerting-Monitor tells me that I should do a
sudo setsebool -P allow_daemons_use_tty=1

But this changes nothing.

Each time I start the virutal machine, I got the error.
The Virtual Machine also cannot connect to /dev/ttyS0

When doing a "getsebool allow_daemons_use_tty" it tells me "allowed" ???

Expected results:


Additional info:
Comment 1 Mark McLoughlin 2009-06-04 10:32:51 EDT
Please include the full SELinux error - e.g. try "ausearch -m AVC -ts recent"

Also, please include ~/.virt-manager/virt-manager.log and the log file for the guest from /var/log/libvirt/qemu
Comment 2 Rene Pilz 2009-06-05 06:07:59 EDT
Created attachment 346629 [details]
Output of the ausearch-command
Comment 3 Rene Pilz 2009-06-05 06:08:44 EDT
Created attachment 346630 [details]
output of the getsebool-command (you can see, it should be allowed!)
Comment 4 Rene Pilz 2009-06-05 06:09:17 EDT
Created attachment 346631 [details]
the full selinux-alert entry
Comment 5 Rene Pilz 2009-06-05 06:09:57 EDT
Created attachment 346632 [details]
virtmanager log (I don't know, but this entries are all completely old??)
Comment 6 Rene Pilz 2009-06-05 06:11:36 EDT
Created attachment 346634 [details]
logfile of the virtual-machine (/var/log/libvirt/qemu/...)
Comment 7 Mark McLoughlin 2009-06-05 06:56:14 EDT
Thanks Rene

dwalsh: this is F10; do we need an init_system_domain(qemu_t) ?
Comment 8 Daniel Walsh 2009-06-05 10:57:34 EDT
Try 
# setsebool -P qemu_use_comm 1

setroubleshoot is suggesting the incorrect boolean.

I will update the setroubleshoot plugins to report the correct boolean.
Comment 9 Daniel Walsh 2009-06-05 11:11:40 EDT
Fixed in setroubleshoot-plugins-2.0.18-1
Comment 10 Rene Pilz 2009-06-06 08:40:02 EDT
dwalsh: 
setsebool -P qemu_use_comm 1

worked perfect. Now no error rises (otherwise, /dev/ttyS0 is not available from the virtual-machine, but I guess there is anythink not configured perfect).

Regards
 Rene

Note You need to log in before you can comment on or make changes to this bug.