Description of problem: Each time I start RHEL5.3 as guest in KVM under F11 sealert nags about boolean allow_daemons_use_tty selinux-policy should be set as true. Even I have set it to true and verified it is true. Version-Release number of selected component (if applicable): selinux-policy-3.6.12-82.fc11.noarch selinux-policy-targeted-3.6.12-82.fc11.noarch How reproducible: At every boot of the guest. Steps to Reproduce: 1. start kvm rhel5 guest 2. check sealert 3. shutdonw guest 4. do setsebool -P allow_daemons_use_tty=1. 5. start guest 6. check sealert Actual results: sealert pops up Expected results: no sealerts Additional info: node=pikkud type=AVC msg=audit(1253253177.383:41640): avc: denied { setattr } for pid=4313 comm="qemu-kvm" name="1" dev=devpts ino=4 scontext=system_u:system_r:svirt_t:s0:c607,c768 tcontext=system_u:object_r:devpts_t:s0:c607,c768 tclass=chr_file node=pikkud type=SYSCALL msg=audit(1253253177.383:41640): arch=40000003 syscall=212 success=no exit=-13 a0=bfda12a8 a1=0 a2=5 a3=bfda12a8 items=0 ppid=1 pid=4313 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c607,c768 key=(null)
You can add a custom policy module for this. I am not sure what this is doing though. I will remove the setroubleshoot plugin from F12 so you will get a better message from setroubleshoot. Turning this on is bogus. You can add a custom policy using audit2allow -M mypol
Dan, any idea what is going on here? Do we need to somehow handle serial ports differently?
Please provide the guest XML from 'virsh dumpxml $GUESTNAME' and the log file from when you tried to start it, /var/log/libvirt/qemu/$GUESTNAME.log Finally, what version of 'libvirt' do you have installed
This is fixed by fixing the entries in /etc/fstab