Bug 528751 - SELinux is preventing qemu-kvm (svirt_t) "fsetid" svirt_t
Summary: SELinux is preventing qemu-kvm (svirt_t) "fsetid" svirt_t
Keywords:
Status: CLOSED DUPLICATE of bug 515521
Alias: None
Product: Fedora
Classification: Fedora
Component: setup
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Ondrej Vasik
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-13 15:22 UTC by Eduard Benes
Modified: 2009-10-13 15:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-13 15:56:34 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Eduard Benes 2009-10-13 15:22:43 UTC
Starting a domain generates following AVC denial. 
Note, everything "seems" to work just fine. It's just annoying.

Steps to reproduce:
1) install for example f12 minimal installation
2) start the domain ... virsh # start fedora12-minimal

$ rpm -qa qemu* selinux*
selinux-policy-targeted-3.6.12-83.fc11.noarch
selinux-policy-3.6.12-83.fc11.noarch
qemu-kvm-0.10.6-6.fc11.i586
qemu-common-0.10.6-6.fc11.i586
qemu-img-0.10.6-6.fc11.i586
qemu-system-x86-0.10.6-6.fc11.i586


----
Summary:

SELinux is preventing qemu-kvm (svirt_t) "fsetid" svirt_t.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c337,c532
Target Context                system_u:system_r:svirt_t:s0:c337,c532
Target Objects                None [ capability ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          godot.englab.brq.redhat.com
Source RPM Packages           qemu-system-x86-0.10.6-6.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-83.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     godot.englab.brq.redhat.com
Platform                      Linux godot.englab.brq.redhat.com
                              2.6.30.8-64.fc11.i686.PAE #1 SMP Fri Sep 25
                              04:56:58 EDT 2009 i686 i686
Alert Count                   4
First Seen                    Tue 13 Oct 2009 05:03:44 PM CEST
Last Seen                     Tue 13 Oct 2009 05:03:44 PM CEST
Local ID                      9d17b05a-8a89-485c-94a5-0b8f53539688
Line Numbers                  

Raw Audit Messages            

node=godot.englab.brq.redhat.com type=AVC msg=audit(1255446224.159:331): avc:  denied  { fsetid } for  pid=4064 comm="qemu-kvm" capability=4 scontext=system_u:system_r:svirt_t:s0:c337,c532 tcontext=system_u:system_r:svirt_t:s0:c337,c532 tclass=capability

node=godot.englab.brq.redhat.com type=AVC msg=audit(1255446224.159:331): avc:  denied  { fsetid } for  pid=4064 comm="qemu-kvm" capability=4 scontext=system_u:system_r:svirt_t:s0:c337,c532 tcontext=system_u:system_r:svirt_t:s0:c337,c532 tclass=capability

node=godot.englab.brq.redhat.com type=SYSCALL msg=audit(1255446224.159:331): arch=40000003 syscall=15 success=yes exit=0 a0=bfd9c1d8 a1=190 a2=bc0ff4 a3=bfd9c1d8 items=0 ppid=1 pid=4064 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c337,c532 key=(null)

Comment 1 Daniel Walsh 2009-10-13 15:36:48 UTC
Fix the entry for devpts in your /etc/fstab to look like

grep devpts /etc/fstab 
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0


There is an update for setup to fix this I believe.

Comment 2 Ondrej Vasik 2009-10-13 15:56:34 UTC
Marking duplicate...

*** This bug has been marked as a duplicate of bug 515521 ***


Note You need to log in before you can comment on or make changes to this bug.