Bug 1057488
Summary: | SELinux is preventing /usr/bin/vmtoolsd from 'write' accesses on the directory /tmp. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sitsofe Wheeler <sitsofe> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 20 | CC: | dominick.grift, dwalsh, john, joshua, lvrabec, mgrepl, trond.myklebust |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:3af4c4013a02ce5029b7eab210cfefdabbf5f5ea8bca48168bfebeb7da94a4fe | ||
Fixed In Version: | selinux-policy-3.12.1-127.fc20 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-03-12 12:16:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sitsofe Wheeler
2014-01-24 08:52:40 UTC
On inspection by using grep avc /var/log/audit/audit.log there are more denials: type=AVC msg=audit(1390553414.405:879): avc: denied { read } for pid=381 comm="vmtoolsd" name="meminfo" dev="proc" ino=4026532027 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1390554727.449:23): avc: denied { sys_time } for pid=380 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability type=AVC msg=audit(1390554727.450:24): avc: denied { sys_time } for pid=380 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability type=AVC msg=audit(1390554727.450:25): avc: denied { sys_time } for pid=380 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability type=AVC msg=audit(1390554727.454:26): avc: denied { read } for pid=380 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1390554727.457:27): avc: denied { sys_rawio } for pid=380 comm="vmtoolsd" capability=17 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability type=AVC msg=audit(1390554727.460:29): avc: denied { execute } for pid=424 comm="vmtoolsd" name="bash" dev="sda2" ino=34071102 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1390554727.467:31): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:32): avc: denied { read } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:33): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:34): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:35): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:36): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:37): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:38): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Scraping all my audit logs using grep "avc: de" audit.log* | sort | uniq -f 13 -c | grep vmtoolsd shows the following: 5 audit.log:type=AVC msg=audit(1390537553.740:27914): avc: denied { getattr } for pid=5619 comm="updatedb" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390553384.398:28): avc: denied { execute } for pid=432 comm="vmtoolsd" name="bash" dev="sda2" ino=34071102 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file 253 audit.log:type=AVC msg=audit(1390553384.444:29): avc: denied { write } for pid=381 comm="vmtoolsd" name="/" dev="tmpfs" ino=13435 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 3 audit.log:type=AVC msg=audit(1390553384.450:282): avc: denied { sys_time } for pid=381 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability 1 audit.log:type=AVC msg=audit(1390553384.455:285): avc: denied { read } for pid=381 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390553384.456:286): avc: denied { sys_rawio } for pid=381 comm="vmtoolsd" capability=17 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability 253 audit.log:type=AVC msg=audit(1390553384.456:287): avc: denied { write } for pid=381 comm="vmtoolsd" name="/" dev="tmpfs" ino=13435 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 1 audit.log:type=AVC msg=audit(1390553414.399:875): avc: denied { read } for pid=381 comm="vmtoolsd" name="devices" dev="proc" ino=4026532024 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390553414.400:876): avc: denied { getattr } for pid=381 comm="vmtoolsd" path="/dev/sda1" dev="devtmpfs" ino=1593 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file 1 audit.log:type=AVC msg=audit(1390553414.401:877): avc: denied { read } for pid=381 comm="vmtoolsd" name="dev" dev="proc" ino=4026531975 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file 2 audit.log:type=AVC msg=audit(1390553414.404:878): avc: denied { read } for pid=381 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 3 audit.log:type=AVC msg=audit(1390554727.449:23): avc: denied { sys_time } for pid=380 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability 1 audit.log:type=AVC msg=audit(1390554727.454:26): avc: denied { read } for pid=380 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390554727.457:27): avc: denied { sys_rawio } for pid=380 comm="vmtoolsd" capability=17 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability 1 audit.log:type=AVC msg=audit(1390554727.460:29): avc: denied { execute } for pid=424 comm="vmtoolsd" name="bash" dev="sda2" ino=34071102 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file 253 audit.log:type=AVC msg=audit(1390554727.467:31): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 1 audit.log:type=AVC msg=audit(1390554757.452:707): avc: denied { read } for pid=380 comm="vmtoolsd" name="devices" dev="proc" ino=4026532024 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390554757.453:708): avc: denied { getattr } for pid=380 comm="vmtoolsd" path="/dev/sda1" dev="devtmpfs" ino=7944 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file 1 audit.log:type=AVC msg=audit(1390554757.454:709): avc: denied { read } for pid=380 comm="vmtoolsd" name="dev" dev="proc" ino=4026531975 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file 2 audit.log:type=AVC msg=audit(1390554757.455:710): avc: denied { read } for pid=380 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file vmtools should be a permissive domain. f00de9355ade76a31c440d38cd87e94c76b59bb6 adds these rules to git. selinux-policy-3.12.1-121.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-121.fc20 Package selinux-policy-3.12.1-121.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-121.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1700/selinux-policy-3.12.1-121.fc20 then log in and leave karma (feedback). One AVC remaining after installing selinux-policy{,-targeted}-3.12.1-121.fc20: type=AVC msg=audit(1390968317.814:422): avc: denied { getattr } for pid=617 comm="vmtoolsd" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem Package selinux-policy-3.12.1-122.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-122.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1700/selinux-policy-3.12.1-122.fc20 then log in and leave karma (feedback). Description of problem: Running Fedora in A VM and the VMWare Tools attempted to run on launch of the VM. Additional info: reporter: libreport-2.1.11 hashmarkername: setroubleshoot kernel: 3.12.8-300.fc20.x86_64 type: libreport Unfortunately selinux-policy-3.12.1-122.fc20.noarch does not solve all the VMware Tools problems. If I make VMware shut down the guest, another round of denials occur: type=AVC msg=audit(1391678717.211:376): avc: denied { execute } for pid=1904 comm="vmtoolsd" name="poweroff-vm-default" dev="sda2" ino=821407 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1391678717.211:376): avc: denied { execute_no_trans } for pid=1904 comm="vmtoolsd" path="/etc/vmware-tools/poweroff-vm-default" dev="sda2" ino=821407 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1391678717.347:377): avc: denied { getattr } for pid=1917 comm="which" path="/usr/sbin/ifconfig" dev="sda2" ino=68707287 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1391678717.463:378): avc: denied { execute } for pid=1923 comm="sh" name="systemctl" dev="sda2" ino=34494703 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=AVC msg=audit(1391678717.463:378): avc: denied { read open } for pid=1923 comm="sh" path="/usr/bin/systemctl" dev="sda2" ino=34494703 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=AVC msg=audit(1391678717.463:378): avc: denied { execute_no_trans } for pid=1923 comm="sh" path="/usr/bin/systemctl" dev="sda2" ino=34494703 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=AVC msg=audit(1391678717.465:379): avc: denied { read } for pid=1923 comm="shutdown" name="root" dev="proc" ino=7829 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file type=AVC msg=audit(1391678717.465:379): avc: denied { read } for pid=1923 comm="shutdown" scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file type=AVC msg=audit(1391678717.467:380): avc: denied { connectto } for pid=1923 comm="shutdown" path="/run/systemd/private" scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=USER_AVC msg=audit(1391678717.526:381): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1391678717.529:382): avc: denied { read } for pid=1923 comm="shutdown" name="utmp" dev="tmpfs" ino=15384 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=AVC msg=audit(1391678717.529:382): avc: denied { open } for pid=1923 comm="shutdown" path="/run/utmp" dev="tmpfs" ino=15384 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=AVC msg=audit(1391678717.530:383): avc: denied { lock } for pid=1923 comm="shutdown" path="/run/utmp" dev="tmpfs" ino=15384 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file selinux-policy-3.12.1-122.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Reopening. I don't even know why this was closed - I mentioned there are still problems in comment #8... commit 61bc70fc1f6c167e8ea4366ef7c3564b5d429102 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 18 13:46:08 2014 +0100 Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20 Package selinux-policy-3.12.1-126.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20 then log in and leave karma (feedback). Nearly there - when using the VMware host's features (Shutdown, Restart, Suspend) there are the following: grep avc /var/log/audit/audit.log{,.1} /var/log/audit/audit.log:type=AVC msg=audit(1393149761.497:365): avc: denied { transition } for pid=1376 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log:type=USER_AVC msg=audit(1393149777.972:379): pid=427 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.54 spid=522 tpid=1674 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' /var/log/audit/audit.log:type=AVC msg=audit(1393149965.016:364): avc: denied { transition } for pid=1383 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1392800649.158:351): avc: denied { transition } for pid=1335 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1392800894.142:396): avc: denied { transition } for pid=2496 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1392800943.770:364): avc: denied { transition } for pid=1381 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1392801389.929:366): avc: denied { transition } for pid=1355 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1393149309.648:366): avc: denied { transition } for pid=1412 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1393149421.738:410): avc: denied { transition } for pid=2338 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process I guess someone should also do tests on ESXi as it can request different features (time sync, ip addresses etc). A word of warning: don't use VMware's suspend menu option in selinux enforcing mode until these issues are fixed - it will cause your network connection to become broken. commit a2f8b4549ef3e89013c5713acae49d5b89959e32 Author: Miroslav Grepl <mgrepl> Date: Mon Feb 24 12:22:06 2014 +0100 Allow vmtools_helper_t to change role to system_r Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback). selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |