This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 530192 - SELinux is preventing /usr/libexec/pt_chown access to a leaked /var/lib/libvirt/images/Fedora12Beta.img file descriptor.
SELinux is preventing /usr/libexec/pt_chown access to a leaked /var/lib/libvi...
Status: CLOSED DUPLICATE of bug 515521
Product: Fedora
Classification: Fedora
Component: qemu (Show other bugs)
rawhide
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Glauber Costa
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:8bfa4b3a115...
:
: 530189 530191 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-21 16:17 EDT by Martin Kho
Modified: 2009-10-23 09:01 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-23 09:01:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Martin Kho 2009-10-21 16:17:00 EDT
Summary:

SELinux is preventing /usr/libexec/pt_chown access to a leaked
/var/lib/libvirt/images/Fedora12Beta.img file descriptor.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the pt_chown command. It looks like this is
either a leaked descriptor or pt_chown output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /var/lib/libvirt/images/Fedora12Beta.img. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:ptchown_t:s0:c8,c783
Target Context                system_u:object_r:svirt_image_t:s0:c8,c783
Target Objects                /var/lib/libvirt/images/Fedora12Beta.img [ file ]
Source                        pt_chown
Source Path                   /usr/libexec/pt_chown
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glibc-common-2.10.90-25
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-27.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.1-56.fc12.x86_64
                              #1 SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 21 Oct 2009 10:08:48 PM CEST
Last Seen                     Wed 21 Oct 2009 10:08:48 PM CEST
Local ID                      fb3c42a4-1e94-4adf-9074-e7e2060a39e9
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1256155728.116:88): avc:  denied  { read write } for  pid=31233 comm="pt_chown" path="/var/lib/libvirt/images/Fedora12Beta.img" dev=sda8 ino=132856 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:object_r:svirt_image_t:s0:c8,c783 tclass=file

node=(removed) type=AVC msg=audit(1256155728.116:88): avc:  denied  { read write } for  pid=31233 comm="pt_chown" path="socket:[92458]" dev=sockfs ino=92458 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:system_r:svirt_t:s0:c8,c783 tclass=unix_stream_socket

node=(removed) type=AVC msg=audit(1256155728.116:88): avc:  denied  { read write } for  pid=31233 comm="pt_chown" path="/dev/net/tun" dev=tmpfs ino=6436 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1256155728.116:88): arch=c000003e syscall=59 success=yes exit=0 a0=32a8341869 a1=7fffdb7453e0 a2=0 a3=32a9018230 items=0 ppid=31231 pid=31233 auid=4294967295 uid=107 gid=107 euid=0 suid=0 fsuid=0 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=system_u:system_r:ptchown_t:s0:c8,c783 key=(null)



Hash String generated from  selinux-policy-3.6.32-27.fc12,leaks,pt_chown,ptchown_t,svirt_image_t,file,read,write
audit2allow suggests:

#============= ptchown_t ==============
allow ptchown_t svirt_image_t:file { read write };
allow ptchown_t svirt_t:unix_stream_socket { read write };
allow ptchown_t tun_tap_device_t:chr_file { read write };
Comment 1 Daniel Walsh 2009-10-21 16:50:09 EDT
This is a leaked file descriptor from qemu which should be changed.

But the error is caused by a bad entry in your /etc/fstab, that was introduced in F11.

Your /etc/fstab devpts line should look like

grep devpts /etc/fstab 
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0

Otherwise svirt through glibc will attempt to fix the labeling of the pty.  Fixing this and executing mount -a should fix the problem.
Comment 2 Daniel Walsh 2009-10-21 16:50:52 EDT
*** Bug 530191 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2009-10-21 16:51:10 EDT
*** Bug 530189 has been marked as a duplicate of this bug. ***
Comment 4 Martin Kho 2009-10-21 17:13:33 EDT
Hi,

Thanks, it fixed it.

Martin Kho
Comment 5 Mark McLoughlin 2009-10-23 09:01:32 EDT
The leaked file descriptor issue is tracked by bug #528134

The underlying issue with devpts in /dev/pts is bug #515521

*** This bug has been marked as a duplicate of bug 515521 ***

Note You need to log in before you can comment on or make changes to this bug.