Bug 518663 - selinux policy prevents virt-manager from running existing and creating new VM
Summary: selinux policy prevents virt-manager from running existing and creating new VM
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-21 14:58 UTC by Jurgen Kramer
Modified: 2009-08-28 21:57 UTC (History)
1 user (show)

Fixed In Version: 3.6.12-80.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-28 21:57:04 UTC


Attachments (Terms of Use)
SELinux prevented pt_chown from using the terminal 3 -> AVC (2.53 KB, text/plain)
2009-08-21 15:06 UTC, Jurgen Kramer
no flags Details
SELinux prevented qemu-kvm from using the terminal 1. Count=1 (2.53 KB, text/plain)
2009-08-23 12:00 UTC, Jurgen Kramer
no flags Details
SELinux is preventing pt_chown (ptchown_t) "read write" ptmx_t. Count=4 (3.35 KB, text/plain)
2009-08-23 12:01 UTC, Jurgen Kramer
no flags Details
SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t. Count=2 (2.47 KB, text/plain)
2009-08-23 12:02 UTC, Jurgen Kramer
no flags Details
SELinux is preventing pt_chown (ptchown_t) "fsetid" ptchown_t. Count=1 (2.50 KB, text/plain)
2009-08-23 12:03 UTC, Jurgen Kramer
no flags Details

Description Jurgen Kramer 2009-08-21 14:58:37 UTC
Description of problem:
When trying to create a new VM using virt-manager I got a few AVC messages preventing virt-manager from completing the creation.

Version-Release number of selected component (if applicable):
virt-manager-0.7.0-5.fc11.x86_64
selinux-policy-3.6.12-72.fc11.noarch
selinux-policy-targeted-3.6.12-72.fc11.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

When trying to run an existing VM I get a error box with a python traceback from virt-manager:

Error starting domain: internal error unable to start guest: qemu: could not open monitor device 'pty'

Contents:

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/engine.py", line 493, in run_domain
    vm.startup()
  File "/usr/share/virt-manager/virtManager/domain.py", line 573, in startup
    self.vm.create()
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 287, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty'

The corresponding avc message is attached.

Comment 1 Jurgen Kramer 2009-08-21 15:00:46 UTC
Sorry, did not complete al the fields :(.

How reproducible:
always

Steps to Reproduce:
1. Start virt-manager
2. Select existing VM Open and Run
3. error message appears.

Expected results:
No AVC messages, working VM.

Comment 2 Jurgen Kramer 2009-08-21 15:05:49 UTC
When (trying to) create a new VM virt-manager stops when trying to create the domain. Due to:

SELinux prevented pt_chown from using the terminal 3.

virt-manager error message:
Unable to complete install: 'internal error unable to start guest: qemu: could not open monitor device 'pty'

Contents:

Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: qemu: could not open monitor device 'pty'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1501, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 974, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty'
'

selinux avc attached as attachment 2 [details].

Comment 3 Jurgen Kramer 2009-08-21 15:06:35 UTC
Created attachment 358255 [details]
SELinux prevented pt_chown from using the terminal 3 -> AVC

attachment 2 [details]. SELinux prevented pt_chown from using the terminal 3.

Comment 4 Jurgen Kramer 2009-08-23 11:59:04 UTC
Retested with updated policies:

selinux-policy-targeted-3.6.12-78.fc11.noarch
selinux-policy-3.6.12-78.fc11.noarch

Starting an existing VM now works again but produces 6 different AVC's with a total cpunt of 11 AVC's...

I've attached all the sealert messages.

Creating a new VM now also works again, triggers all the same AVC's.

Comment 5 Jurgen Kramer 2009-08-23 12:00:46 UTC
Created attachment 358350 [details]
SELinux prevented qemu-kvm from using the terminal 1. Count=1

SELinux prevented qemu-kvm from using the terminal 1. Count=1

Comment 6 Jurgen Kramer 2009-08-23 12:01:26 UTC
Created attachment 358351 [details]
SELinux is preventing pt_chown (ptchown_t) "read write" ptmx_t. Count=4

SELinux is preventing pt_chown (ptchown_t) "read write" ptmx_t. Count=4

Comment 7 Jurgen Kramer 2009-08-23 12:02:21 UTC
Created attachment 358352 [details]
SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t. Count=2

SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t. Count=2

Comment 8 Jurgen Kramer 2009-08-23 12:03:07 UTC
Created attachment 358353 [details]
SELinux is preventing pt_chown (ptchown_t) "fsetid" ptchown_t. Count=1

SELinux is preventing pt_chown (ptchown_t) "fsetid" ptchown_t. Count=1

Comment 9 Daniel Walsh 2009-08-23 16:46:03 UTC
Edit /etc/fstab 

and make devpts like look like

devpts                  /dev/pts                devpts  gid=5,mode=620  0 0


Then execute mount -a

Should fix your problem.

F11 anaconda was supposed to put this line in, and this is triggering the other errors.  

Miroslav, grab the latest pt_chown policy from Rawhide and update F11.

Comment 10 Miroslav Grepl 2009-08-23 18:15:02 UTC
I have fixed this in selinux-policy-3.6.12-79.fc11. I am going to push out a new F11 update tomorrow.

Available from Koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=128076

Comment 11 Fedora Update System 2009-08-24 15:44:57 UTC
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-80.fc11

Comment 12 Jurgen Kramer 2009-08-24 15:47:26 UTC
I've modified my fstab as suggested by Daniel and updated to the new policy from koji. After a reboot, virt-manager runs clean, no more avc. Thanks.

Comment 13 Fedora Update System 2009-08-25 04:26:40 UTC
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895

Comment 14 Fedora Update System 2009-08-28 21:56:39 UTC
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.