Summary: SELinux is preventing /usr/libexec/pt_chown access to a leaked /var/lib/libvirt/images/Fedora12Beta.img file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the pt_chown command. It looks like this is either a leaked descriptor or pt_chown output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /var/lib/libvirt/images/Fedora12Beta.img. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:ptchown_t:s0:c8,c783 Target Context system_u:object_r:svirt_image_t:s0:c8,c783 Target Objects /var/lib/libvirt/images/Fedora12Beta.img [ file ] Source pt_chown Source Path /usr/libexec/pt_chown Port <Unknown> Host (removed) Source RPM Packages glibc-common-2.10.90-25 Target RPM Packages Policy RPM selinux-policy-3.6.32-27.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.31.1-56.fc12.x86_64 #1 SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64 Alert Count 3 First Seen Wed 21 Oct 2009 10:08:48 PM CEST Last Seen Wed 21 Oct 2009 10:08:48 PM CEST Local ID fb3c42a4-1e94-4adf-9074-e7e2060a39e9 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1256155728.116:88): avc: denied { read write } for pid=31233 comm="pt_chown" path="/var/lib/libvirt/images/Fedora12Beta.img" dev=sda8 ino=132856 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:object_r:svirt_image_t:s0:c8,c783 tclass=file node=(removed) type=AVC msg=audit(1256155728.116:88): avc: denied { read write } for pid=31233 comm="pt_chown" path="socket:[92458]" dev=sockfs ino=92458 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:system_r:svirt_t:s0:c8,c783 tclass=unix_stream_socket node=(removed) type=AVC msg=audit(1256155728.116:88): avc: denied { read write } for pid=31233 comm="pt_chown" path="/dev/net/tun" dev=tmpfs ino=6436 scontext=system_u:system_r:ptchown_t:s0:c8,c783 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1256155728.116:88): arch=c000003e syscall=59 success=yes exit=0 a0=32a8341869 a1=7fffdb7453e0 a2=0 a3=32a9018230 items=0 ppid=31231 pid=31233 auid=4294967295 uid=107 gid=107 euid=0 suid=0 fsuid=0 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=system_u:system_r:ptchown_t:s0:c8,c783 key=(null) Hash String generated from selinux-policy-3.6.32-27.fc12,leaks,pt_chown,ptchown_t,svirt_image_t,file,read,write audit2allow suggests: #============= ptchown_t ============== allow ptchown_t svirt_image_t:file { read write }; allow ptchown_t svirt_t:unix_stream_socket { read write }; allow ptchown_t tun_tap_device_t:chr_file { read write };
This is a leaked file descriptor from qemu which should be changed. But the error is caused by a bad entry in your /etc/fstab, that was introduced in F11. Your /etc/fstab devpts line should look like grep devpts /etc/fstab devpts /dev/pts devpts gid=5,mode=620 0 0 Otherwise svirt through glibc will attempt to fix the labeling of the pty. Fixing this and executing mount -a should fix the problem.
*** Bug 530191 has been marked as a duplicate of this bug. ***
*** Bug 530189 has been marked as a duplicate of this bug. ***
Hi, Thanks, it fixed it. Martin Kho
The leaked file descriptor issue is tracked by bug #528134 The underlying issue with devpts in /dev/pts is bug #515521 *** This bug has been marked as a duplicate of bug 515521 ***