Bug 630827

Summary: Guest OS customization cannot work with the current SELinux policy setting
Product: Red Hat Enterprise Linux 6 Reporter: Dyno Fu <hfu>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.0CC: cward, ddumas, ebenes, jwest, mmalik, snagar, syeghiay
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-55.el6 Doc Type: Bug Fix
Doc Text:
Due to incorrect SELinux policy, attempting to use the guest operating system customization in vCenter failed. With this update, the relevant policy code has been added, and SELinux no longer prevents users from customizing guest operating systems.
 Story Points: ---
Clone Of:
: 632080 (view as bug list) Environment:
Last Closed: 2011-05-19 11:54:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 629274    
Bug Blocks: 637081    
Attachments:
Description Flags
policy file to make the customization work
none
logs to create vmwarecust.te none

Description Dyno Fu 2010-09-07 06:09:46 UTC 
Created attachment 443406 [details]
policy file to make the customization work

Description of problem:
when user clone a RHEL6 VM, the newly created VM need to have some difference with the source VM. e.g the MAC, hostname, etc. Customization is the mechanism to automate this process. for the customization to work, the VM need to have vmware-tools installed, and the tools will get the customization config scripts from outside of the vm and put it into temp directory. and execute the configure scripts to do the real configuration, i.e. change the hostname, network configuration, timezone, etc.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. create a RHEL6 VM with SELinux enabled in vCenter.
2. clone and select the customization.
3. the customization will fail.
  
Actual results:


Expected results:


Additional info:
install module built from the attached vmwarecust.te can make the customization succeed (also with setsebool -P domain_kernel_load_modules on), but i donnot know if it is too loose.
Comment 2 Daniel Walsh 2010-09-07 16:05:02 UTC 
Miroslav add

/etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 to corecommands.fc

Add

optional_policy(`
	shutdown_domtrans(vmware_host_t)
')

Dyno, I would prefer to see the audit.log that you used to create this policy.
Comment 3 Dyno Fu 2010-09-08 12:48:12 UTC 
Created attachment 445974 [details]
logs to create vmwarecust.te

log attached. the postfix is timestamp, only exception is 1138 should be between 1919 and 1953 because of the time setting error. 
vmarecust.te is created incrementally merging the new rules created from audit2allow -i audit.log.<timestamp>


toolsDeployPkg.log.* (/var/log/vmare-imc/toolsDeployPkg.log) is the customization log, which usually has the error message about what the customization failed to do. e.g.

INFO: Customizing Date&Time ...
DEBUG: opening file /tmp/.vmware/linux/deploy/scripts/tzdata/backward.
DEBUG: Command: ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
DEBUG: Result:
DEBUG: opening file for writing (/etc/sysconfig/clock).
ERROR: Fatal error occoured during customization !! Customization halted.
ERROR: Error : Permission denied:Error writing data to  file (/etc/sysconfig/clock). Permission denied at /tmp/.vmware/linux/deploy/scripts/Utils.pm line 299.
Comment 8 Miroslav Grepl 2010-09-16 15:56:40 UTC 
Fixed in selinux-policy-3.7.19-55.el6.noarch.
Comment 9 Chris Ward 2010-09-16 22:02:40 UTC 
@vmware, if we pass you some updated bits, could you test to verify this issue is resolved?
Comment 11 Dyno Fu 2010-09-17 00:46:58 UTC 
(In reply to comment #9)
> @vmware, if we pass you some updated bits, could you test to verify this issue
> is resolved?

Sure,  how can I get the rpm?
Comment 12 Chris Ward 2010-09-17 15:35:24 UTC 
Try http://people.redhat.com/SELinux/RHEL6/noarch
Comment 13 Chris Ward 2010-09-17 15:37:10 UTC 
Or rather, http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 14 Dyno Fu 2010-09-19 02:04:52 UTC 
(In reply to comment #13)
> Or rather, http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

i've installed selinux-policy-3.7.19-55.el6.noarch.rpm, selinux-policy-minimum-3.7.19-55.el6.noarch.rpm, selinux-policy-targeted-3.7.19-55.el6.noarch.rpm. and i can confirm the customization finished successfully with SELinux enabled.
Comment 17 Jaromir Hradilek 2010-10-14 12:12:50 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to incorrect SELinux policy, attempting to use the guest operating system customization in vCenter failed. With this update, the relevant policy code has been added, and SELinux no longer prevents users from customizing guest operating systems.
Comment 19 errata-xmlrpc 2011-05-19 11:54:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html