Bug 846340

Summary: VMware virtual ethernet service fails to start on RHEL 6.3
Product: Red Hat Enterprise Linux 6 Reporter: Marko Myllynen <myllynen>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: dwalsh, ebenes, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-168.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:27:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux-vmware-audit.txt
none
selinux-vmware-audit.txt
none
Generated policy file
none
restorecon output
none
vmware-avc.txt
none
vmware-fix.te none

Description Marko Myllynen 2012-08-07 13:45:41 UTC 
Description of problem:
After upgrading from RHEL 6.2 to 6.3 + latest errata, rebooting, and running restorecon -R /, up-to-date VMware workstation's Virtual ethernet service fails to start when SELinux is in Enforcing mode causing guests to lose networking.

I'll attach AVCs from audit.log. In the attachment:

The first set of messages was generated when starting the VMware services while SELinux was Enforcing. No messages was generated when stopping the services while Enforcing.

The second set of messages was generated when starting the VMware services while SELinux was Permissive. The third set of messages was generated when stopping the services while Permissive.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.noarch
Comment 1 Marko Myllynen 2012-08-07 13:46:32 UTC 
Created attachment 602758 [details]
selinux-vmware-audit.txt
Comment 3 Miroslav Grepl 2012-08-07 14:25:35 UTC 
So it works in permissive mode? 

Did you try to create a local policy module?
Comment 4 Marko Myllynen 2012-08-07 14:27:06 UTC 
(In reply to comment #3)
> So it works in permissive mode? 

Yes.

> Did you try to create a local policy module?

No. I'd be happy to test any modules you might suggest.

Thanks.
Comment 5 Miroslav Grepl 2012-09-05 07:28:35 UTC 
Ok, just execute

# cat selinux-vmware-audit.txt |audit2allow -M mypol
# semodule -i mypol.pp
Comment 6 Marko Myllynen 2012-09-05 11:39:38 UTC 
Ok, I will attach parts of audit.log showing the AVC generated during starting/stopping VMware services and the audit2allow generated .te file. However, even with the policy loaded restorecon changes contexts for several VMware related files on consecutive runs without touch the services so those should be investigated as well, I'll attach also restorecon output.

Thanks.
Comment 7 Marko Myllynen 2012-09-05 11:40:26 UTC 
Created attachment 609992 [details]
selinux-vmware-audit.txt
Comment 8 Marko Myllynen 2012-09-05 11:40:52 UTC 
Created attachment 609993 [details]
Generated policy file
Comment 9 Marko Myllynen 2012-09-05 11:41:14 UTC 
Created attachment 609994 [details]
restorecon output
Comment 10 Miroslav Grepl 2012-10-09 20:34:14 UTC 
Added.
Comment 12 Marko Myllynen 2012-10-11 08:58:07 UTC 
When trying to update from -155 to -168:

localhost:/tmp/selinux# rpm -Fvh selinux-policy-3.7.19-168.el6.noarch.rpm selinux-policy-targeted-3.7.19-168.el6.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy         ########################################### [ 50%]
   2:selinux-policy-targeted########################################### [100%]
libsepol.scope_copy_callback: passenger: Duplicate declaration in module: type/attribute passenger_tmp_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
localhost:/tmp/selinux# semodule -r vmware
localhost:/tmp/selinux# semodule -i
/usr/share/selinux/targeted/vmware.pp.bz2
libsepol.print_missing_requirements: vmware's global requirements were
not met: type/attribute initrc_domain (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!
localhost:/tmp/selinux# semodule -l | grep vmware
localhost:/tmp/selinux# 

And after rebooting "semodule -l | grep vmware" returns nothing.

Thanks.
Comment 13 Miroslav Grepl 2012-10-11 11:27:16 UTC 
Yes, it has been fixed in the -169.el6 build.
Comment 14 Marko Myllynen 2012-10-12 09:04:46 UTC 
(In reply to comment #13)
> Yes, it has been fixed in the -169.el6 build.

Now it works ok without AVCs when starting the services and installing/running guests, only one AVC when shutting down the services, I'll attach the audit2allow generated .te file - with that loaded zero AVCs with VMware Workstation 8.0.4.

Thanks.
Comment 15 Marko Myllynen 2012-10-12 09:05:16 UTC 
Created attachment 625857 [details]
vmware-avc.txt
Comment 16 Marko Myllynen 2012-10-12 09:05:49 UTC 
Created attachment 625858 [details]
vmware-fix.te
Comment 24 errata-xmlrpc 2013-02-21 08:27:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html