Summary: SELinux prevented pt_chown from using the terminal 1. Detailed Description: SELinux prevented pt_chown from using the terminal 1. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean. Allowing Access: Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1." Fix Command: setsebool -P allow_daemons_use_tty=1 Additional Information: Source Context system_u:system_r:svirt_t:s0:c269,c551 Target Context system_u:object_r:devpts_t:s0:c269,c551 Target Objects 1 [ chr_file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host localhost Source RPM Packages glibc-common-2.10.1-5 Target RPM Packages Policy RPM selinux-policy-3.6.12-82.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_daemons_use_tty Host Name dhcp-64.hsv.redhat.com Platform Linux dhcp-64.hsv.redhat.com 2.6.30.5-43.fc11.x86_64 #1 SMP Thu Aug 27 21:39:52 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Thu 24 Sep 2009 04:39:13 PM CDT Last Seen Thu 24 Sep 2009 04:39:13 PM CDT Local ID 71316b34-6bac-4107-9420-213b6960cd5f Line Numbers Raw Audit Messages node=localhost type=AVC msg=audit(1253828353.245:75): avc: denied { setattr } for pid=12976 comm="pt_chown" name="1" dev=devpts ino=4 scontext=system_u:system_r:svirt_t:s0:c269,c551 tcontext=system_u:object_r:devpts_t:s0:c269,c551 tclass=chr_file node=localhost type=SYSCALL msg=audit(1253828353.245:75): arch=c000003e syscall=92 success=no exit=-13 a0=7ffee9a401d0 a1=0 a2=5 a3=7fff78902a90 items=0 ppid=12972 pid=12976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=system_u:system_r:svirt_t:s0:c269,c551 key=(null)
using the recommended setsebool -P allow_daemons_use_tty=1 doesn't help. I still get the selinux violation and am unable to start a new vm. Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: qemu: could not open monitor device 'pty' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/create.py", line 1501, in do_install dom = guest.start_install(False, meter = meter) File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 541, in start_install return self._do_install(consolecb, meter, removeOld, wait) File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 633, in _do_install self.domain = self.conn.createLinux(install_xml, 0) File "/usr/lib64/python2.6/site-packages/libvirt.py", line 974, in createLinux if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self) libvirtError: internal error unable to start guest: qemu: could not open monitor device 'pty'
(In reply to comment #1) > using the recommended > > setsebool -P allow_daemons_use_tty=1 > > doesn't help. I still get the selinux violation and am unable to start a new > vm. I had a similar problem just now, it was working yesterday. I rebooted today, and tried to run an existing vm, it failed with the could not open pty, and a selinux alert. I checked, and allow_daemons_use_tty was on: [root@palm ~]# getsebool allow_daemons_use_tty allow_daemons_use_tty --> on I "set" it again: [root@palm ~]# setsebool -P allow_daemons_use_tty=1 [root@palm ~]# getsebool allow_daemons_use_tty allow_daemons_use_tty --> on And then when I ran the VM it started up *but* I might have still gotten another selinux alert for the pty - I can't tell since I had multiple alerts, and don't know if there are any VM logs that show the time I "ran" the instance.
Raising the severity on this as I am unable to use Virtual Machine Manager at all because of it.
Marking as a duplicate of bug #515521 I think you just need selinux-policy-3.6.12-82.fc11 and the /dev/pts line in /etc/fstab fixed to look like: devpts /dev/pts devpts gid=5,mode=620 0 0 *** This bug has been marked as a duplicate of bug 515521 ***