Bug 771105 - SELinux is preventing /usr/lib/xen/bin/qemu-dm from read, write access on the chr_file ptmx.
Summary: SELinux is preventing /usr/lib/xen/bin/qemu-dm from read, write access on the...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:ae486981b075724414c2da537f0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-01 12:03 UTC by Robin Green
Modified: 2013-02-14 02:01 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.10.0-72.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-14 02:00:57 UTC
Type: ---


Attachments (Terms of Use)
avcs (16.03 KB, text/plain)
2012-01-05 23:10 UTC, Robin Green
no flags Details
avcs after semodule -d unconfined (3.63 KB, text/plain)
2012-01-07 07:06 UTC, Robin Green
no flags Details

Description Robin Green 2012-01-01 12:03:58 UTC
libreport version: 2.0.8
executable:     /usr/bin/sealert
hashmarkername: setroubleshoot
kernel:         3.1.6-1.fc16.x86_64
reason:         SELinux is preventing /usr/lib/xen/bin/qemu-dm from read, write access on the chr_file ptmx.
time:           Sun 01 Jan 2012 11:59:21 AM GMT

description:
:SELinux is preventing /usr/lib/xen/bin/qemu-dm from read, write access on the chr_file ptmx.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that qemu-dm should be allowed read write access on the ptmx chr_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep qemu-dm /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:qemu_dm_t:s0
:Target Context                system_u:object_r:ptmx_t:s0
:Target Objects                ptmx [ chr_file ]
:Source                        qemu-dm
:Source Path                   /usr/lib/xen/bin/qemu-dm
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           xen-runtime-4.1.2-2.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-69.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.1.6-1.fc16.x86_64 #1 SMP Wed Dec
:                              21 22:41:17 UTC 2011 x86_64 x86_64
:Alert Count                   1
:First Seen                    Sun 01 Jan 2012 10:11:51 AM GMT
:Last Seen                     Sun 01 Jan 2012 10:11:51 AM GMT
:Local ID                      b7abad9a-121c-431f-bca3-521c9e67f9a0
:
:Raw Audit Messages
:type=AVC msg=audit(1325412711.702:137): avc:  denied  { read write } for  pid=3348 comm="qemu-dm" name="ptmx" dev=devtmpfs ino=1121 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
:
:
:type=SYSCALL msg=audit(1325412711.702:137): arch=x86_64 syscall=open success=no exit=EACCES a0=306bd7392d a1=2 a2=0 a3=7fff7c6900b0 items=0 ppid=1308 pid=3348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=qemu-dm exe=/usr/lib/xen/bin/qemu-dm subj=system_u:system_r:qemu_dm_t:s0 key=(null)
:
:Hash: qemu-dm,qemu_dm_t,ptmx_t,chr_file,read,write
:
:audit2allow
:
:#============= qemu_dm_t ==============
:allow qemu_dm_t ptmx_t:chr_file { read write };
:
:audit2allow -R
:
:#============= qemu_dm_t ==============
:allow qemu_dm_t ptmx_t:chr_file { read write };
:

Comment 1 Robin Green 2012-01-01 12:05:58 UTC
This was triggered by the following command:

sudo virt-install -l http://download.fedoraproject.org/pub/fedora/linux/releases/16/Fedora/x86_64/os --ram 1024 --disk /home/greenrd/f16.img,size=10 --name F16

which failed.

Comment 2 Miroslav Grepl 2012-01-02 08:50:34 UTC
I think we could consider to run qemu-dm in the xend_t domain.

Robin,
could you try to execute

chcon -t bin_t /usr/lib/xen/bin/qemu-dm 

and re-test it. Thank you.

Comment 3 Robin Green 2012-01-02 10:32:38 UTC
(In reply to comment #2)
> chcon -t bin_t /usr/lib/xen/bin/qemu-dm 
> 
> and re-test it. Thank you.

That worked - thanks!

Although, I am still puzzled about what happened previously, because even after running audit2allow and semodule -i on the first denied message, and running my command again which produced a different denied message, and running audit2allow and semodule -i on both messages, my command still failed in the same way, without any denied messages in audit.log! So I had to setenforce 0 - that was the only way to make it work, before you gave me this solution.

Note: to undo my workarounds, I ran

semodule -r virt-install
setenforce 1

before running this test.

Comment 4 Robin Green 2012-01-02 10:36:19 UTC
Ah, I apologise, there were plenty of avc denied messages previously - I just didn't see them, because for some reason sealert didn't tell me about them.

There were no avc denied messages when I ran it just now.

Comment 5 Daniel Walsh 2012-01-03 16:28:11 UTC
That seems like a good idea.

Comment 6 Robin Green 2012-01-04 20:05:01 UTC
Unfortunately I am now getting a number of avc denied messages when I try to use xend and virt-manager, which I didn't get before. I'm not sure whether this change is the cause of that though.

Comment 7 Daniel Walsh 2012-01-05 15:07:17 UTC
Could you attach the AVC's

Comment 8 Robin Green 2012-01-05 23:10:05 UTC
Created attachment 551037 [details]
avcs

Comment 9 Miroslav Grepl 2012-01-06 11:37:31 UTC
Ok, the problem is most of xend files/dirs are created with virt_*_t label because there is no transition.

Could you execute these steps

# semodule -d unconfined
# setenforce 0

re-test it please

# ausearch -m avc -ts recent > /tmp/avc-excerpt1.txt
# semodule -e unconfined
# setenforce 1

Comment 10 Robin Green 2012-01-07 07:06:05 UTC
Created attachment 551338 [details]
avcs after semodule -d unconfined

Comment 11 Robin Green 2012-01-07 07:08:12 UTC
I should clarify that comment 6 above refers to me performing *other* actions involving xen, *not* the virt-install command. Just wanted to make sure that was clear.

Comment 12 Miroslav Grepl 2012-01-12 13:30:47 UTC
I added fixed to selinux-policy-3.10.0-72.fc16

Comment 13 Fedora Update System 2012-01-17 15:18:44 UTC
selinux-policy-3.10.0-72.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-72.fc16

Comment 14 Fedora Update System 2012-01-17 20:29:09 UTC
Package selinux-policy-3.10.0-72.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-72.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0639/selinux-policy-3.10.0-72.fc16
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2012-01-22 22:53:23 UTC
selinux-policy-3.10.0-72.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Martin Dengler 2012-04-02 06:09:24 UTC
Hi - I have selinux-policy 3.10.0-80.fc16 and am still getting the original problem (AVC below).

If I run the suggestion from comment #2

chcon -t bin_t /usr/lib/xen/bin/qemu-dm 

I get past the problem.  I still get more denials.

Is there something other than having the latest selinux-policy installed that is required?

Is the latest selinux-policy supposed to have fixed the original and subsequent (comment #9, perhaps?) problems?

# rpm -qi selinux-policy
Name        : selinux-policy
Version     : 3.10.0
Release     : 80.fc16
Architecture: noarch
Install Date: Mon 26 Mar 2012 09:07:47 AM HKT
Group       : System Environment/Base
Size        : 9284469
License     : GPLv2+
Signature   : RSA/SHA256, Wed 21 Mar 2012 12:28:33 AM HKT, Key ID 067f00b6a82ba4b7
Source RPM  : selinux-policy-3.10.0-80.fc16.src.rpm
Build Date  : Tue 13 Mar 2012 07:29:08 PM HKT
Build Host  : x86-07.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117


# sealert -l 4b65b35f-6bb1-49f9-91e4-ac11d512e7c1
No protocol specified
No protocol specified
No protocol specified
No protocol specified
SELinux is preventing /usr/lib/xen/bin/qemu-dm from 'read, write' accesses on the chr_file ptmx.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qemu-dm should be allowed read write access on the ptmx chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-dm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:qemu_dm_t:s0
Target Context                system_u:object_r:ptmx_t:s0
Target Objects                ptmx [ chr_file ]
Source                        qemu-dm
Source Path                   /usr/lib/xen/bin/qemu-dm
Port                          <Unknown>
Host                          zz
Source RPM Packages           xen-runtime-4.1.2-6.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     zz
Platform                      Linux zz 3.3.0-8.fc16.x86_64 #1 SMP Thu Mar 29
                              18:37:19 UTC 2012 x86_64 x86_64
Alert Count                   7
First Seen                    Mon 02 Apr 2012 01:16:59 PM HKT
Last Seen                     Mon 02 Apr 2012 02:00:21 PM HKT
Local ID                      4b65b35f-6bb1-49f9-91e4-ac11d512e7c1

Raw Audit Messages
type=AVC msg=audit(1333346421.265:13013): avc:  denied  { read write } for  pid=32161 comm="qemu-dm" name="ptmx" dev="devtmpfs" ino=1132 scontext=system_u:system_r:qemu_dm_t:
s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1333346421.265:13013): arch=x86_64 syscall=open success=no exit=EACCES a0=7fa4a6d5040d a1=2 a2=0 a3=7fff8cc8e130 items=0 ppid=1432 pid=32161 auid=42949
67295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=qemu-dm exe=/usr/lib/xen/bin/qemu-dm subj=system_u:system_r:qemu_dm_t:s0 key=(nul
l)

Hash: qemu-dm,qemu_dm_t,ptmx_t,chr_file,read,write

audit2allow

#============= qemu_dm_t ==============
allow qemu_dm_t ptmx_t:chr_file { read write };

audit2allow -R

#============= qemu_dm_t ==============
allow qemu_dm_t ptmx_t:chr_file { read write };

Comment 17 Miroslav Grepl 2012-04-02 12:32:53 UTC
I apologize, my fault. 

This has been fixed only in F17. Backporting fixes to F16.

Comment 18 Fedora End Of Life 2013-02-14 02:01:13 UTC
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.