Bug 721193 - With unconfined disabled, can't virsh console
Summary: With unconfined disabled, can't virsh console
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-14 01:35 UTC by Robin Powell
Modified: 2011-07-18 22:32 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.16-34.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-18 22:32:48 UTC
Type: ---


Attachments (Terms of Use)

Description Robin Powell 2011-07-14 01:35:57 UTC
Description of problem:

Dan Walsh has seen full details here, and agrees this is a bug, so the report here will be somewhat abbreviated.

Basically, with the unconfined module disabled:

rlpowell@basti> sudo virsh console vrici
Connected to domain vrici
Escape character is ^]
error: Unable to open stream for '/dev/pts/3': Permission denied

which is bad.

Version-Release number of selected component (if applicable):

3.9.16-32.fc15

How reproducible:

Disable unconfined.  Try to virsh console.

Additional info:

The following module fixes it:


rlpowell@basti> cat myvirt.te

module myvirt 1.0;

require {
        type virtd_t;
        type svirt_devpts_t;
        class chr_file { read write open };
}

#============= virtd_t ==============
#!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty'

allow virtd_t svirt_devpts_t:chr_file open;
#!!!! This avc is allowed in the current policy

allow virtd_t svirt_devpts_t:chr_file { read write };

Comment 1 Daniel Walsh 2011-07-14 14:23:52 UTC
Miroslav I have a fix for this in Rawhide.  Needs to be back ported to RHEL6 also.

Comment 2 Miroslav Grepl 2011-07-15 14:36:44 UTC
Fixed in selinux-policy-3.9.16-34.fc15

Comment 3 Fedora Update System 2011-07-15 15:44:03 UTC
selinux-policy-3.9.16-34.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15

Comment 4 Fedora Update System 2011-07-16 07:28:58 UTC
Package selinux-policy-3.9.16-34.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-34.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15
then log in and leave karma (feedback).

Comment 5 Robin Powell 2011-07-18 01:10:29 UTC
Looking good, thank you!

-Robin

Comment 6 Fedora Update System 2011-07-18 22:31:29 UTC
selinux-policy-3.9.16-34.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.