Bug 525578 - SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t.
Summary: SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t.
Keywords:
Status: CLOSED DUPLICATE of bug 515521
Alias: None
Product: Fedora
Classification: Fedora
Component: qemu
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Glauber Costa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-24 21:44 UTC by Guy Streeter
Modified: 2016-02-10 01:33 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-01 16:35:36 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Guy Streeter 2009-09-24 21:44:08 UTC
Summary:

SELinux is preventing qemu-kvm (svirt_t) "setrlimit" svirt_t.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c269,c551
Target Context                system_u:system_r:svirt_t:s0:c269,c551
Target Objects                None [ process ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          localhost
Source RPM Packages           qemu-system-x86-0.10.6-5.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-82.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     dhcp-64.hsv.redhat.com
Platform                      Linux dhcp-64.hsv.redhat.com
                              2.6.30.5-43.fc11.x86_64 #1 SMP Thu Aug 27 21:39:52
                              EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 24 Sep 2009 04:39:13 PM CDT
Last Seen                     Thu 24 Sep 2009 04:39:13 PM CDT
Local ID                      51f6ce79-0eb0-45be-b246-eb32cc45d492
Line Numbers                  

Raw Audit Messages            

node=localhost type=AVC msg=audit(1253828353.242:74): avc:  denied  { setrlimit } for  pid=12976 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c269,c551 tcontext=system_u:system_r:svirt_t:s0:c269,c551 tclass=process

node=localhost type=SYSCALL msg=audit(1253828353.242:74): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fff810ae0d0 a2=0 a3=3d6a017220 items=0 ppid=12972 pid=12976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c269,c551 key=(null)

Comment 1 Mark McLoughlin 2009-10-01 16:35:36 UTC
I'm pretty sure this is a dup of bug #515521 and you just need latest selinux-policy and the /dev/pts line /etc/fstab changed to be:

devpts     /dev/pts   devpts  gid=5,mode=620   0 0

*** This bug has been marked as a duplicate of bug 515521 ***


Note You need to log in before you can comment on or make changes to this bug.