Bug 581118

Summary:	SELinux is preventing /usr/bin/vmnet-natd "execute_no_trans" access on /usr/bin/vmnet-natd.
Product:	[Fedora] Fedora	Reporter:	Mijax <mijax.mijax>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	12	CC:	bony, dwalsh, mgrepl, pronetin, RMuscaritolo
Target Milestone:	---
Target Release:	---
Hardware:	i386
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:69ee5195ac52c9d8f270f46196e202b07a8454bb4a420bfbb20184c2bddbd1e1
Fixed In Version:	selinux-policy-3.6.32-113.fc12	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-05-03 16:08:41 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Mijax 2010-04-10 09:55:07 UTC

Summary:

SELinux is preventing /usr/bin/vmnet-natd "execute_no_trans" access on
/usr/bin/vmnet-natd.

Detailed Description:

SELinux denied access requested by vmnet-natd. It is not expected that this
access is required by vmnet-natd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:vmware_host_t:s0-s0:c0.c1023
Target Context                system_u:object_r:vmware_host_exec_t:s0
Target Objects                /usr/bin/vmnet-natd [ file ]
Source                        vmnet-natd
Source Path                   /usr/bin/vmnet-natd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-108.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.22.fc12.i686.PAE #1 SMP Fri Feb 19
                              19:10:04 UTC 2010 i686 athlon
Alert Count                   5
First Seen                    Fri 09 Apr 2010 05:28:53 PM IRDT
Last Seen                     Sat 10 Apr 2010 02:03:01 PM IRDT
Local ID                      f13ef55c-6f87-4f1a-82c1-fb8bf4a51309
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1270891981.694:12): avc:  denied  { execute_no_trans } for  pid=1437 comm="vmnet-natd" path="/usr/bin/vmnet-natd" dev=sda5 ino=51468 scontext=system_u:system_r:vmware_host_t:s0-s0:c0.c1023 tcontext=system_u:object_r:vmware_host_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1270891981.694:12): arch=40000003 syscall=11 success=no exit=-13 a0=94b9478 a1=94b94e0 a2=bfe8bf8c a3=5 items=0 ppid=1 pid=1437 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmnet-natd" exe="/usr/bin/vmnet-natd" subj=system_u:system_r:vmware_host_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,vmnet-natd,vmware_host_t,vmware_host_exec_t,file,execute_no_trans
audit2allow suggests:

#============= vmware_host_t ==============
allow vmware_host_t vmware_host_exec_t:file execute_no_trans;

Comment 1 Daniel Walsh 2010-04-11 12:28:30 UTC

Miroslav add

can_exec(vmware_host_t, vmware_host_exec_t)

Comment 2 Miroslav Grepl 2010-04-13 12:16:46 UTC

Fixed in selinux-policy-3.6.32-111.fc12

Comment 3 Mijax 2010-04-17 05:15:40 UTC

I update selinux-policy but not solved and still occur this alert.

Comment 4 Fedora Update System 2010-04-23 12:44:02 UTC

selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12

Comment 5 Miroslav Grepl 2010-04-26 09:20:47 UTC

Mijax,
probably you also need to update selinux-policy-targeted package.

I have:

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.6.32-113.fc12.noarch

# sesearch -A -s vmware_host_t -t vmware_host_exec_t -c file -p execute_no_trans
Found 1 semantic av rules:
   allow vmware_host_t vmware_host_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;

Comment 6 Miroslav Grepl 2010-04-26 09:21:41 UTC

*** Bug 585586 has been marked as a duplicate of this bug. ***

Comment 7 Fedora Update System 2010-04-27 02:22:38 UTC

selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12

Comment 8 Prot 2010-04-27 18:09:45 UTC

I have this problem too.

When I update system with 'yum update', still remind selinux-policy & selinux-policy-targeted '3.6.32-110.fc12.noarch'.

Is there update in repository?

Comment 9 bony 2010-04-27 18:30:43 UTC

after the an update (3.6.32-113) the problem is solved - on my system!

yum --enablerepo=updates-testing update selinux-policy-targeted

thx!

Comment 10 Prot 2010-04-27 18:35:42 UTC

Ok. solved after updating from testing repository.

Comment 11 Fedora Update System 2010-05-03 16:06:41 UTC

selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.