Bug 524850 - selinux compains about serial port with kvm: allow_daemons_use_tty selinux-policy
Summary: selinux compains about serial port with kvm: allow_daemons_use_tty selinux-po...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-22 13:37 UTC by Ilkka Tengvall
Modified: 2009-10-20 21:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-20 21:08:46 UTC


Attachments (Terms of Use)

Description Ilkka Tengvall 2009-09-22 13:37:54 UTC
Description of problem:

Each time I start RHEL5.3 as guest in KVM under F11 sealert nags about boolean allow_daemons_use_tty selinux-policy should be set as true. Even I have set it to true and verified it is true.

Version-Release number of selected component (if applicable):

selinux-policy-3.6.12-82.fc11.noarch
selinux-policy-targeted-3.6.12-82.fc11.noarch


How reproducible:

At every boot of the guest.

Steps to Reproduce:
1. start kvm rhel5 guest
2. check sealert
3. shutdonw guest
4. do setsebool -P allow_daemons_use_tty=1.
5. start guest
6. check sealert

  
Actual results:

sealert pops up

Expected results:

no sealerts

Additional info:

node=pikkud type=AVC msg=audit(1253253177.383:41640): avc: denied { setattr } for pid=4313 comm="qemu-kvm" name="1" dev=devpts ino=4 scontext=system_u:system_r:svirt_t:s0:c607,c768 tcontext=system_u:object_r:devpts_t:s0:c607,c768 tclass=chr_file node=pikkud type=SYSCALL msg=audit(1253253177.383:41640): arch=40000003 syscall=212 success=no exit=-13 a0=bfda12a8 a1=0 a2=5 a3=bfda12a8 items=0 ppid=1 pid=4313 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c607,c768 key=(null)

Comment 1 Daniel Walsh 2009-09-22 14:00:54 UTC
You can add a custom policy module for this.  I am not sure what this is doing though.  I will remove the setroubleshoot plugin from F12 so you will get a better message from setroubleshoot.  Turning this on is bogus.

You can add a custom policy using audit2allow -M mypol

Comment 2 Daniel Walsh 2009-09-22 14:01:33 UTC
Dan, any idea what is going on here?  Do we need to somehow handle serial ports differently?

Comment 3 Daniel Berrange 2009-09-22 15:48:36 UTC
Please provide the guest XML from 'virsh dumpxml $GUESTNAME' and the log file from when you tried to start it, /var/log/libvirt/qemu/$GUESTNAME.log

Finally, what version of 'libvirt' do you have installed

Comment 4 Daniel Walsh 2009-10-20 21:08:46 UTC
This is fixed by fixing the entries in /etc/fstab


Note You need to log in before you can comment on or make changes to this bug.