RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 630827 - Guest OS customization cannot work with the current SELinux policy setting
Summary: Guest OS customization cannot work with the current SELinux policy setting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 629274
Blocks: 637081
TreeView+ depends on / blocked
 
Reported: 2010-09-07 06:09 UTC by Dyno Fu
Modified: 2012-12-13 10:35 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-55.el6
Doc Type: Bug Fix
Doc Text:
Due to incorrect SELinux policy, attempting to use the guest operating system customization in vCenter failed. With this update, the relevant policy code has been added, and SELinux no longer prevents users from customizing guest operating systems.
Clone Of:
: 632080 (view as bug list)
Environment:
Last Closed: 2011-05-19 11:54:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
policy file to make the customization work (2.92 KB, application/octet-stream)
2010-09-07 06:09 UTC, Dyno Fu 		no flags Details
logs to create vmwarecust.te (37.37 KB, application/x-gzip)
2010-09-08 12:48 UTC, Dyno Fu 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Dyno Fu 2010-09-07 06:09:46 UTC 
Created attachment 443406 [details]
policy file to make the customization work

Description of problem:
when user clone a RHEL6 VM, the newly created VM need to have some difference with the source VM. e.g the MAC, hostname, etc. Customization is the mechanism to automate this process. for the customization to work, the VM need to have vmware-tools installed, and the tools will get the customization config scripts from outside of the vm and put it into temp directory. and execute the configure scripts to do the real configuration, i.e. change the hostname, network configuration, timezone, etc.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. create a RHEL6 VM with SELinux enabled in vCenter.
2. clone and select the customization.
3. the customization will fail.
  
Actual results:


Expected results:


Additional info:
install module built from the attached vmwarecust.te can make the customization succeed (also with setsebool -P domain_kernel_load_modules on), but i donnot know if it is too loose.
Comment 2 Daniel Walsh 2010-09-07 16:05:02 UTC 
Miroslav add

/etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 to corecommands.fc

Add

optional_policy(`
	shutdown_domtrans(vmware_host_t)
')

Dyno, I would prefer to see the audit.log that you used to create this policy.
Comment 3 Dyno Fu 2010-09-08 12:48:12 UTC 
Created attachment 445974 [details]
logs to create vmwarecust.te

log attached. the postfix is timestamp, only exception is 1138 should be between 1919 and 1953 because of the time setting error. 
vmarecust.te is created incrementally merging the new rules created from audit2allow -i audit.log.<timestamp>


toolsDeployPkg.log.* (/var/log/vmare-imc/toolsDeployPkg.log) is the customization log, which usually has the error message about what the customization failed to do. e.g.

INFO: Customizing Date&Time ...
DEBUG: opening file /tmp/.vmware/linux/deploy/scripts/tzdata/backward.
DEBUG: Command: ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
DEBUG: Result:
DEBUG: opening file for writing (/etc/sysconfig/clock).
ERROR: Fatal error occoured during customization !! Customization halted.
ERROR: Error : Permission denied:Error writing data to  file (/etc/sysconfig/clock). Permission denied at /tmp/.vmware/linux/deploy/scripts/Utils.pm line 299.
Comment 8 Miroslav Grepl 2010-09-16 15:56:40 UTC 
Fixed in selinux-policy-3.7.19-55.el6.noarch.
Comment 9 Chris Ward 2010-09-16 22:02:40 UTC 
@vmware, if we pass you some updated bits, could you test to verify this issue is resolved?
Comment 11 Dyno Fu 2010-09-17 00:46:58 UTC 
(In reply to comment #9)
> @vmware, if we pass you some updated bits, could you test to verify this issue
> is resolved?

Sure,  how can I get the rpm?
Comment 12 Chris Ward 2010-09-17 15:35:24 UTC 
Try http://people.redhat.com/SELinux/RHEL6/noarch
Comment 13 Chris Ward 2010-09-17 15:37:10 UTC 
Or rather, http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 14 Dyno Fu 2010-09-19 02:04:52 UTC 
(In reply to comment #13)
> Or rather, http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

i've installed selinux-policy-3.7.19-55.el6.noarch.rpm, selinux-policy-minimum-3.7.19-55.el6.noarch.rpm, selinux-policy-targeted-3.7.19-55.el6.noarch.rpm. and i can confirm the customization finished successfully with SELinux enabled.
Comment 17 Jaromir Hradilek 2010-10-14 12:12:50 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to incorrect SELinux policy, attempting to use the guest operating system customization in vCenter failed. With this update, the relevant policy code has been added, and SELinux no longer prevents users from customizing guest operating systems.
Comment 19 errata-xmlrpc 2011-05-19 11:54:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html
Note You need to log in before you can comment on or make changes to this bug.