This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 517234 - Cannot create new VM due to SELinux restrictions
Cannot create new VM due to SELinux restrictions
Status: CLOSED DUPLICATE of bug 515521
Product: Fedora
Classification: Fedora
Component: kvm (Show other bugs)
11
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Glauber Costa
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-13 02:52 EDT by Dagan McGregor
Modified: 2009-08-16 13:56 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-13 05:03:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dagan McGregor 2009-08-13 02:52:18 EDT
Description of problem:
Trying to create a new Windows VM in a fresh install of Fedora 11, using qemu-kvm and virt-manager GUI to create the VM.

clicking 'Finish' on the VM create screen causes virt-manager to pause, then an error dialogue appears.

Version-Release number of selected component (if applicable):
Name       : libvirt
Arch       : x86_64
Version    : 0.6.2
Release    : 13.fc11

Name       : qemu-kvm
Arch       : x86_64
Epoch      : 2
Version    : 0.10.5
Release    : 3.fc11

Name       : virt-manager
Arch       : x86_64
Version    : 0.7.0
Release    : 5.fc11

Name       : selinux-policy
Arch       : noarch
Version    : 3.6.12
Release    : 72.fc11

Name       : selinux-policy-targeted
Arch       : noarch
Version    : 3.6.12
Release    : 72.fc11

How reproducible:
Every time

Steps to Reproduce:
1. Open virt-manager connection to QEMU-KVM
2. Select 'New' and provide settings for new VM 
3. Click 'Finish'
  
Actual results:
Error from virt-manager

Unable to complete install: 'internal error unable to start guest: qemu: could not open monitor device 'pty' '

Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: qemu: could not open monitor device 'pty'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1501, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 974, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty' '

Summary:

SELinux prevented pt_chown from using the terminal 3.

Detailed Description:

SELinux prevented pt_chown from using the terminal 3. In most cases daemons do
not need to interact with the terminal, usually these avc messages can be
ignored. All of the confined daemons should have dontaudit rules around using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy.
If you would like to allow all daemons to interact with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Fix Command:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c103,c1012
Target Context                system_u:object_r:devpts_t:s0:c103,c1012
Target Objects                3 [ chr_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          tighanardrigh
Source RPM Packages           glibc-common-2.10.1-4
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-72.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_daemons_use_tty
Host Name                     tighanardrigh
Platform                      Linux tighanardrigh 2.6.29.6-217.2.3.fc11.x86_64
                              #1 SMP Wed Jul 29 16:02:42 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 13 Aug 2009 06:27:38 PM NZST
Last Seen                     Thu 13 Aug 2009 06:27:38 PM NZST
Local ID                      174dc0c3-4789-4379-80a3-b70baee97fd2
Line Numbers                  

Raw Audit Messages            

node=tighanardrigh type=AVC msg=audit(1250144858.236:37160): avc:  denied  { setattr } for  pid=5516 comm="pt_chown" name="3" dev=devpts ino=6 scontext=system_u:system_r:svirt_t:s0:c103,c1012 tcontext=system_u:object_r:devpts_t:s0:c103,c1012 tclass=chr_file

node=tighanardrigh type=SYSCALL msg=audit(1250144858.236:37160): arch=c000003e syscall=92 success=no exit=918593496 a0=7f6bc84e81d0 a1=0 a2=5 a3=7ffff23cf6d0 items=0 ppid=5512 pid=5516 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=system_u:system_r:svirt_t:s0:c103,c1012 key=(null)

Summary:

SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c103,c1012
Target Context                system_u:system_r:svirt_t:s0:c103,c1012
Target Objects                None [ process ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          tighanardrigh
Source RPM Packages           qemu-system-x86-0.10.5-3.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-72.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     tighanardrigh
Platform                      Linux tighanardrigh 2.6.29.6-217.2.3.fc11.x86_64
                              #1 SMP Wed Jul 29 16:02:42 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 13 Aug 2009 06:27:38 PM NZST
Last Seen                     Thu 13 Aug 2009 06:27:38 PM NZST
Local ID                      aae9842e-3177-42c6-b15d-3c288b125b40
Line Numbers                  

Raw Audit Messages            

node=tighanardrigh type=AVC msg=audit(1250144858.235:37159): avc:  denied  { setrlimit } for  pid=5516 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c103,c1012 tcontext=system_u:system_r:svirt_t:s0:c103,c1012 tclass=process

node=tighanardrigh type=SYSCALL msg=audit(1250144858.235:37159): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fff01a9e300 a2=0 a3=3288017220 items=0 ppid=5512 pid=5516 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c103,c1012 key=(null)

Expected results:
virt-manager will create the new qemu-kvm VM without any error, and the VM will start normally.

Additional info:
I don't believe I had these errors in my previous F10 install
Comment 1 Dagan McGregor 2009-08-13 02:55:42 EDT
These SELinux restrictions also apply when a VM has been created, but is started via virt-manager. 

The exact same two 'SELinux prevented pt_chown from using the terminal 1' and 'SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t' messages.
Comment 2 Daniel Berrange 2009-08-13 05:03:47 EDT

*** This bug has been marked as a duplicate of bug 515521 ***

Note You need to log in before you can comment on or make changes to this bug.