Description of problem: When running virt workflow, we're getting the following AVC error: type=AVC msg=audit(1369347825.490:22): avc: denied { read write } for pid=7136 comm="virsh" path="/dev/ptmx" dev=tmpfs ino=1102 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file You can see an example job here: https://beaker.engineering.redhat.com/jobs/422183 Version-Release number of selected component (if applicable): selinux-policy-2.4.6-338.el5 How reproducible: very Steps to Reproduce: 1. You can try to clone the job or one of the recipesets in it. 2. 3. Actual results: Expected results: Additional info:
It seems that the AVC appeared in enforcing mode, but success=yes. Could it be a leaked file descriptor?
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
(In reply to Milos Malik from comment #1) > It seems that the AVC appeared in enforcing mode, but success=yes. Could it > be a leaked file descriptor? Yes, it turns out that this might be caused by one of the test helpers in which for each guest we're forking a pty to execute virsh console $guest on it and there could be leaked file descriptors during this process. Just testing our fix and will update this once it's done.
If you run ausearch -m avc -i and it says the syscall is execv, it is almost always a leaked file descriptor.