Bug 1872245

Summary:	[VMware][RHEL 8] vmtools is not able to install rpms
Product:	Red Hat Enterprise Linux 8	Reporter:	Renaud Métrich <rmetrich>
Component:	selinux-policy	Assignee:	Patrik Koncity <pkoncity>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.2	CC:	aivaraslaimikis, boyang, bwelterl, casperschjoelin, cavery, jnordell, ldu, lvrabec, mmalik, pkoncity, plautrba, rdulhani, ssekidde, yacao, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.6	Flags:	pm-rhel: mirror+
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.3-81.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-10 15:14:56 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Renaud Métrich 2020-08-25 09:26:44 UTC

Description of problem:

This is kinda continuation of BZ #1667016.
When installing packages through using the "vmrun" facility from outside the VMWare guest, the shell is executing as "vmtools_unconfined_t".
So is the "yum" command. However, when the package has scriptlets, an AVC pops up while trying to transition to "rpm_script_t":

AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PATH msg=audit(1598344653.707:41): item=0 name="/bin/sh" [...] obj=system_u:object_r:shell_exec_t:s0 [...]
type=CWD msg=audit(1598344653.707:41): cwd="/"
type=SYSCALL msg=audit(1598344653.707:41): arch=c000003e syscall=59 success=no exit=-13 [...] comm="yum" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:vmtools_unconfined_t:s0 key=(null)
type=AVC msg=audit(1598344653.707:41): avc:  denied  { transition } for  pid=3280 comm="yum" path="/usr/bin/bash" dev="dm-0" ino=33596182 scontext=system_u:system_r:vmtools_unconfined_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Logs (reinstalling cronie, see reproducer below):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[...]: Running transaction
[...]:   Preparing        :                                                        1/1
[...]:   Reinstalling     : cronie-1.5.2-4.el8.x86_64                              1/2
[...]:   Running scriptlet: cronie-1.5.2-4.el8.x86_64                              1/2
[...]: error: failed to exec scriptlet interpreter /bin/sh: Permission denied
[...]: warning: %post(cronie-1.5.2-4.el8.x86_64) scriptlet failed, exit status 127
[...]: Error in POSTIN scriptlet in rpm package cronie
[...]: error: failed to exec scriptlet interpreter /bin/sh: Permission denied
[...]: warning: %triggerin(cronie-1.5.2-4.el8.x86_64) scriptlet failed, exit status 127
[...]: Error in <unknown> scriptlet in rpm package cronie
[...]:   Running scriptlet: cronie-1.5.2-4.el8.x86_64                              2/2
[...]
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-41.el8_2.5.noarch

How reproducible:

ALWAYS


Steps to Reproduce:

1. Create 2 scripts to run in the expected contexts (vmtools_t -> vmtools_unconfined_t)

/usr/local/bin/vmtools:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/bash

echo "$(basename $0): $(id -Z)"
exec /usr/local/bin/vmtools_unconfined
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/usr/local/bin/vmtools_unconfined:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/bash

echo "$(basename $0): $(id -Z)"
exec yum -y reinstall cronie
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Make the scripts executable and tag then with right context

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# chmod +x /usr/local/bin/vmtools /usr/local/bin/vmtools_unconfined
# chcon -t vmtools_exec_t /usr/local/bin/vmtools 
# chcon -t vmtools_unconfined_exec_t /usr/local/bin/vmtools_unconfined
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Execute /usr/local/bin/vmtools as a service to run in expected context

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# systemd-run --unit vmtools /usr/local/bin/vmtools
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

4. Check the AVCs and logs

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# ausearch -m avc -ts recent | grep -m 2
# journalctl -u vmtools.service | grep -m 2 -i error
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 

Actual results:

type=AVC msg=audit(1598347085.284:77): avc:  denied  { transition } for  pid=5557 comm="yum" path="/usr/bin/bash" dev="dm-0" ino=33596182 scontext=system_u:system_r:vmtools_unconfined_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0
type=AVC msg=audit(1598347085.294:78): avc:  denied  { transition } for  pid=5558 comm="yum" path="/usr/bin/bash" dev="dm-0" ino=33596182 scontext=system_u:system_r:vmtools_unconfined_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0

Aug 25 11:23:15 vm-rhel8 vmtools[6212]: error: failed to exec scriptlet interpreter /bin/sh: Permission denied
Aug 25 11:23:15 vm-rhel8 vmtools[6212]: Error in POSTIN scriptlet in rpm package cronie


Expected results:

No AVC, no error


Additional info:

Reading the vmtools.te sources, I can see some errors there:

1. This block is likely useless since vmtools_t doesn't execute rpm scripts itself

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 78 optional_policy(`
 79     rpm_transition_script(vmtools_t,system_r)
 80 ')
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. The block above should be added for "vmtools_unconfined_t" instead (this fixes the issue)

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 78 optional_policy(`
 79     rpm_transition_script(vmtools_unconfined_t,system_r)
 80 ')
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. There are cosmetic issues in the file, tabs should be used instead of spaces

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
114 optional_policy(`
 :
129     corecmd_exec_shell(vmtools_unconfined_t)
130     corecmd_shell_entry_type(vmtools_unconfined_t)
131     corecmd_shell_domtrans(vmtools_t, vmtools_unconfined_t)
 :
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Comment 6 Patrik Koncity 2021-08-02 09:14:27 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/821

Comment 7 Zdenek Pytela 2021-08-27 07:45:33 UTC

Commit to backport:
commit 2014a2e2ae78532f375f361ef68eb13214cb682b (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Wed Jul 28 13:54:03 2021 +0200

    Allow vmtools_unconfined_t domain transition to rpm_script_t

Comment 16 errata-xmlrpc 2022-05-10 15:14:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995