525581 – SELinux prevented pt_chown from using the terminal 1.

Bug 525581 - SELinux prevented pt_chown from using the terminal 1.

Summary: SELinux prevented pt_chown from using the terminal 1.

Keywords:
Status:	CLOSED DUPLICATE of bug 515521
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	qemu
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Glauber Costa
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-09-24 21:49 UTC by Guy Streeter
Modified:	2016-02-10 01:33 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-10-01 16:30:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Guy Streeter 2009-09-24 21:49:28 UTC

Summary:

SELinux prevented pt_chown from using the terminal 1.

Detailed Description:

SELinux prevented pt_chown from using the terminal 1. In most cases daemons do
not need to interact with the terminal, usually these avc messages can be
ignored. All of the confined daemons should have dontaudit rules around using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy.
If you would like to allow all daemons to interact with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Fix Command:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c269,c551
Target Context                system_u:object_r:devpts_t:s0:c269,c551
Target Objects                1 [ chr_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          localhost
Source RPM Packages           glibc-common-2.10.1-5
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-82.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_daemons_use_tty
Host Name                     dhcp-64.hsv.redhat.com
Platform                      Linux dhcp-64.hsv.redhat.com
                              2.6.30.5-43.fc11.x86_64 #1 SMP Thu Aug 27 21:39:52
                              EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 24 Sep 2009 04:39:13 PM CDT
Last Seen                     Thu 24 Sep 2009 04:39:13 PM CDT
Local ID                      71316b34-6bac-4107-9420-213b6960cd5f
Line Numbers                  

Raw Audit Messages            

node=localhost type=AVC msg=audit(1253828353.245:75): avc:  denied  { setattr } for  pid=12976 comm="pt_chown" name="1" dev=devpts ino=4 scontext=system_u:system_r:svirt_t:s0:c269,c551 tcontext=system_u:object_r:devpts_t:s0:c269,c551 tclass=chr_file

node=localhost type=SYSCALL msg=audit(1253828353.245:75): arch=c000003e syscall=92 success=no exit=-13 a0=7ffee9a401d0 a1=0 a2=5 a3=7fff78902a90 items=0 ppid=12972 pid=12976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=system_u:system_r:svirt_t:s0:c269,c551 key=(null)

Comment 1 Guy Streeter 2009-09-29 21:04:02 UTC

using the recommended

setsebool -P allow_daemons_use_tty=1

doesn't help. I still get the selinux violation and am unable to start a new vm.

Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: qemu: could not open monitor device 'pty'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1501, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 974, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty'

Comment 2 Patrick Mansfield 2009-09-30 16:52:25 UTC

(In reply to comment #1)
> using the recommended
> 
> setsebool -P allow_daemons_use_tty=1
> 
> doesn't help. I still get the selinux violation and am unable to start a new
> vm.

I had a similar problem just now, it was working yesterday.

I rebooted today, and tried to run an existing vm, it failed with the could not open pty, and a selinux alert.

I checked, and allow_daemons_use_tty was on:

[root@palm ~]# getsebool allow_daemons_use_tty
allow_daemons_use_tty --> on

I "set" it again:

[root@palm ~]# setsebool -P allow_daemons_use_tty=1
[root@palm ~]# getsebool allow_daemons_use_tty
allow_daemons_use_tty --> on

And then when I ran the VM it started up *but* I might have still gotten another selinux alert for the pty - I can't tell since I had multiple alerts, and don't know if there are any VM logs that show the time I "ran" the instance.

Comment 3 Guy Streeter 2009-10-01 16:07:06 UTC

Raising the severity on this as I am unable to use Virtual Machine Manager at all because of it.

Comment 4 Mark McLoughlin 2009-10-01 16:30:54 UTC

Marking as a duplicate of bug #515521

I think you just need selinux-policy-3.6.12-82.fc11 and the /dev/pts line in /etc/fstab fixed to look like:

devpts     /dev/pts   devpts  gid=5,mode=620   0 0

*** This bug has been marked as a duplicate of bug 515521 ***

Note You need to log in before you can comment on or make changes to this bug.