This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 484765 - Bug buddy (xdm_t) cannot access vmware-tools directory?
Bug buddy (xdm_t) cannot access vmware-tools directory?
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-09 15:13 EST by Derek Atkins
Modified: 2009-12-11 09:44 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-11 09:44:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Derek Atkins 2009-02-09 15:13:16 EST
Description of problem:


Summary:

SELinux is preventing bug-buddy (xdm_t) "search" to ./vmware-tools
(vmware_sys_conf_t).

Detailed Description:

SELinux denied access requested by bug-buddy. It is not expected that this
access is required by bug-buddy and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./vmware-tools,

restorecon -v './vmware-tools'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:vmware_sys_conf_t:s0
Target Objects                ./vmware-tools [ dir ]
Source                        bug-buddy
Source Path                   /usr/bin/bug-buddy
Port                          <Unknown>
Host                          code.gnucash.org
Source RPM Packages           bug-buddy-2.24.2-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-40.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     code.gnucash.org
Platform                      Linux code.gnucash.org 2.6.27.12-170.2.5.fc10.i686
                              #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 athlon
Alert Count                   1
First Seen                    Sun 01 Feb 2009 12:44:29 PM EST
Last Seen                     Sun 01 Feb 2009 12:44:29 PM EST
Local ID                      bf9b3750-7507-4277-8d90-d3d27c43d453
Line Numbers                  

Raw Audit Messages            

node=code.gnucash.org type=AVC msg=audit(1233510269.723:129): avc:  denied  { search } for  pid=1901 comm="bug-buddy" name="vmware-tools" dev=dm-0 ino=84630 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:vmware_sys_conf_t:s0 tclass=dir

node=code.gnucash.org type=SYSCALL msg=audit(1233510269.723:129): arch=40000003 syscall=5 success=no exit=-13 a0=8f88638 a1=8000 a2=0 a3=8000 items=0 ppid=1763 pid=1901 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="bug-buddy" exe="/usr/bin/bug-buddy" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):

selinux-policy-3.5.13-40.fc10

How reproducible:

Unclear.  I've only seen one alert, but I don't know what it took to happen.

Steps to Reproduce:
1. <unknown>
2.
3.
  
Actual results:

An SELinux violation.

Expected results:

bug-buddy should be able to read the vmware-tools directory.

Additional info:
Comment 1 Derek Atkins 2009-02-09 15:14:50 EST
Sorry, should have said this was a Fedora-10 system in a VMWare-Server-2 Guest VM running VMware-Tools from the server package.
Comment 2 Daniel Walsh 2009-02-10 15:58:23 EST
Ray, 

Any idea what is going on here?
Comment 3 Daniel Walsh 2009-09-04 09:19:56 EDT
Was your vmware-tools directory a mount point?  Might be just bug-buddy checking out the system.  I think it can be safely ignored.
Comment 4 Bug Zapper 2009-11-18 06:03:59 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.