Description of problem: When trying to create a new VM using virt-manager I got a few AVC messages preventing virt-manager from completing the creation. Version-Release number of selected component (if applicable): virt-manager-0.7.0-5.fc11.x86_64 selinux-policy-3.6.12-72.fc11.noarch selinux-policy-targeted-3.6.12-72.fc11.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: When trying to run an existing VM I get a error box with a python traceback from virt-manager: Error starting domain: internal error unable to start guest: qemu: could not open monitor device 'pty' Contents: Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/engine.py", line 493, in run_domain vm.startup() File "/usr/share/virt-manager/virtManager/domain.py", line 573, in startup self.vm.create() File "/usr/lib64/python2.6/site-packages/libvirt.py", line 287, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty' The corresponding avc message is attached.
Sorry, did not complete al the fields :(. How reproducible: always Steps to Reproduce: 1. Start virt-manager 2. Select existing VM Open and Run 3. error message appears. Expected results: No AVC messages, working VM.
When (trying to) create a new VM virt-manager stops when trying to create the domain. Due to: SELinux prevented pt_chown from using the terminal 3. virt-manager error message: Unable to complete install: 'internal error unable to start guest: qemu: could not open monitor device 'pty' Contents: Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: qemu: could not open monitor device 'pty' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/create.py", line 1501, in do_install dom = guest.start_install(False, meter = meter) File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install return self._do_install(consolecb, meter, removeOld, wait) File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install self.domain = self.conn.createLinux(install_xml, 0) File "/usr/lib64/python2.6/site-packages/libvirt.py", line 974, in createLinux if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self) libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty' ' selinux avc attached as attachment 2 [details].
Created attachment 358255 [details] SELinux prevented pt_chown from using the terminal 3 -> AVC attachment 2 [details]. SELinux prevented pt_chown from using the terminal 3.
Retested with updated policies: selinux-policy-targeted-3.6.12-78.fc11.noarch selinux-policy-3.6.12-78.fc11.noarch Starting an existing VM now works again but produces 6 different AVC's with a total cpunt of 11 AVC's... I've attached all the sealert messages. Creating a new VM now also works again, triggers all the same AVC's.
Created attachment 358350 [details] SELinux prevented qemu-kvm from using the terminal 1. Count=1 SELinux prevented qemu-kvm from using the terminal 1. Count=1
Created attachment 358351 [details] SELinux is preventing pt_chown (ptchown_t) "read write" ptmx_t. Count=4 SELinux is preventing pt_chown (ptchown_t) "read write" ptmx_t. Count=4
Created attachment 358352 [details] SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t. Count=2 SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t. Count=2
Created attachment 358353 [details] SELinux is preventing pt_chown (ptchown_t) "fsetid" ptchown_t. Count=1 SELinux is preventing pt_chown (ptchown_t) "fsetid" ptchown_t. Count=1
Edit /etc/fstab and make devpts like look like devpts /dev/pts devpts gid=5,mode=620 0 0 Then execute mount -a Should fix your problem. F11 anaconda was supposed to put this line in, and this is triggering the other errors. Miroslav, grab the latest pt_chown policy from Rawhide and update F11.
I have fixed this in selinux-policy-3.6.12-79.fc11. I am going to push out a new F11 update tomorrow. Available from Koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=128076
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-80.fc11
I've modified my fstab as suggested by Daniel and updated to the new policy from koji. After a reboot, virt-manager runs clean, no more avc. Thanks.
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.