Bug 1690766 - SELinux is preventing /usr/bin/vmtoolsd from 'entrypoint' accesses on the file /usr/bin/bash.
Summary: SELinux is preventing /usr/bin/vmtoolsd from 'entrypoint' accesses on the fil...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:46771ef1c7e80d61b2ffe36316a...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-20 08:17 UTC by Mathias Nicolajsen Kjærgaard
Modified: 2019-04-08 01:52 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.2-53.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-08 01:52:55 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Mathias Nicolajsen Kjærgaard 2019-03-20 08:17:01 UTC 
Description of problem:
This problem prevent use of "vmrun.exe runScriptInGuest" from host
SELinux is preventing /usr/bin/vmtoolsd from 'entrypoint' accesses on the file /usr/bin/bash.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that vmtoolsd should be allowed entrypoint access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'vmtoolsd' --raw | audit2allow -M my-vmtoolsd
# semodule -X 300 -i my-vmtoolsd.pp

Additional Information:
Source Context                system_u:system_r:vmtools_unconfined_t:s0
Target Context                system_u:object_r:shell_exec_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        vmtoolsd
Source Path                   /usr/bin/vmtoolsd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           open-vm-tools-10.3.5-2.fc29.x86_64
Target RPM Packages           bash-4.4.23-6.fc29.x86_64
Policy RPM                    selinux-policy-3.14.2-51.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.20.16-200.fc29.x86_64 #1 SMP Thu
                              Mar 14 15:10:22 UTC 2019 x86_64 x86_64
Alert Count                   3
First Seen                    2019-03-20 08:43:48 CET
Last Seen                     2019-03-20 09:04:18 CET
Local ID                      37a9ed07-7d9a-4f90-8dd0-e3dda5401c48

Raw Audit Messages
type=AVC msg=audit(1553069058.200:230): avc:  denied  { entrypoint } for  pid=1741 comm="vmtoolsd" path="/usr/bin/bash" dev="dm-0" ino=1185148 scontext=system_u:system_r:vmtools_unconfined_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1553069058.200:230): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f0a30cf5590 a1=7ffc661d77b0 a2=55f7ad55ffc0 a3=7f0a2e0aca50 items=0 ppid=1740 pid=1741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=vmtoolsd exe=/usr/bin/vmtoolsd subj=system_u:system_r:vmtools_t:s0 key=(null)

Hash: vmtoolsd,vmtools_unconfined_t,shell_exec_t,file,entrypoint

Version-Release number of selected component:
selinux-policy-3.14.2-51.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         4.20.16-200.fc29.x86_64
type:           libreport
Comment 1 Thomas Neuber 2019-03-27 17:31:11 UTC 
Description of problem:
System is running in a (VMware) virtual machine with packages open-vm-tools{,-desktop}-10.3.10-1.fc29 installed. 
After upgrading kernel from 4.20.16 to 5.0.3 selinux prevents loading vmtoolsd. 
Plymouth boot utilizes at least one cpu core completely. It results in a extremely poor performance, unusable.

Version-Release number of selected component:
selinux-policy-3.14.2-51.fc29.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.3-200.fc29.x86_64
type:           libreport
Comment 2 Zdenek Pytela 2019-03-27 18:23:46 UTC 
The fix already is available, we need to backport this commit to F29:

commit 7a82e5e2d13281957b76477e4976c0e7c19db02a
Author: Lukas Vrabec <lvrabec>
Date:   Tue Mar 26 15:34:24 2019 +0100

    Make shell_exec_t type as entrypoint for vmtools_unconfined_t.

diff --git a/vmtools.te b/vmtools.te
index 47f02c008..c4f3b456b 100644
--- a/vmtools.te
+++ b/vmtools.te
@@ -127,6 +127,7 @@ optional_policy(`
        init_domtrans_script(vmtools_unconfined_t)
 
     corecmd_exec_shell(vmtools_unconfined_t)
+    corecmd_shell_entry_type(vmtools_unconfined_t)
     corecmd_shell_domtrans(vmtools_t, vmtools_unconfined_t)
 
        optional_policy(`
Comment 3 Lukas Vrabec 2019-03-28 08:43:49 UTC 
Already backported: 

commit a6c788c5eed7ae15297e2493f9efdce669cf575c
Author: Lukas Vrabec <lvrabec>
Date:   Tue Mar 26 15:34:24 2019 +0100

    Make shell_exec_t type as entrypoint for vmtools_unconfined_t.
Comment 4 Fedora Update System 2019-04-05 17:27:49 UTC 
selinux-policy-3.14.2-53.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
Comment 5 Fedora Update System 2019-04-06 20:51:09 UTC 
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
Comment 6 Fedora Update System 2019-04-08 01:52:55 UTC 
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.