Starting a domain generates following AVC denial. Note, everything "seems" to work just fine. It's just annoying. Steps to reproduce: 1) install for example f12 minimal installation 2) start the domain ... virsh # start fedora12-minimal $ rpm -qa qemu* selinux* selinux-policy-targeted-3.6.12-83.fc11.noarch selinux-policy-3.6.12-83.fc11.noarch qemu-kvm-0.10.6-6.fc11.i586 qemu-common-0.10.6-6.fc11.i586 qemu-img-0.10.6-6.fc11.i586 qemu-system-x86-0.10.6-6.fc11.i586 ---- Summary: SELinux is preventing qemu-kvm (svirt_t) "fsetid" svirt_t. Detailed Description: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:svirt_t:s0:c337,c532 Target Context system_u:system_r:svirt_t:s0:c337,c532 Target Objects None [ capability ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host godot.englab.brq.redhat.com Source RPM Packages qemu-system-x86-0.10.6-6.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-83.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name godot.englab.brq.redhat.com Platform Linux godot.englab.brq.redhat.com 2.6.30.8-64.fc11.i686.PAE #1 SMP Fri Sep 25 04:56:58 EDT 2009 i686 i686 Alert Count 4 First Seen Tue 13 Oct 2009 05:03:44 PM CEST Last Seen Tue 13 Oct 2009 05:03:44 PM CEST Local ID 9d17b05a-8a89-485c-94a5-0b8f53539688 Line Numbers Raw Audit Messages node=godot.englab.brq.redhat.com type=AVC msg=audit(1255446224.159:331): avc: denied { fsetid } for pid=4064 comm="qemu-kvm" capability=4 scontext=system_u:system_r:svirt_t:s0:c337,c532 tcontext=system_u:system_r:svirt_t:s0:c337,c532 tclass=capability node=godot.englab.brq.redhat.com type=AVC msg=audit(1255446224.159:331): avc: denied { fsetid } for pid=4064 comm="qemu-kvm" capability=4 scontext=system_u:system_r:svirt_t:s0:c337,c532 tcontext=system_u:system_r:svirt_t:s0:c337,c532 tclass=capability node=godot.englab.brq.redhat.com type=SYSCALL msg=audit(1255446224.159:331): arch=40000003 syscall=15 success=yes exit=0 a0=bfd9c1d8 a1=190 a2=bc0ff4 a3=bfd9c1d8 items=0 ppid=1 pid=4064 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c337,c532 key=(null)
Fix the entry for devpts in your /etc/fstab to look like grep devpts /etc/fstab devpts /dev/pts devpts gid=5,mode=620 0 0 There is an update for setup to fix this I believe.
Marking duplicate... *** This bug has been marked as a duplicate of bug 515521 ***