632080 – Guest OS customization cannot work with the current SELinux policy setting

Bug 632080 - Guest OS customization cannot work with the current SELinux policy setting

Summary: Guest OS customization cannot work with the current SELinux policy setting

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-09 05:53 UTC by Dyno Fu
Modified:	2010-10-07 12:24 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:	630827
Environment:
Last Closed:	2010-10-07 12:24:34 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dyno Fu 2010-09-09 05:53:17 UTC

should also affect fedora 14.
+++ This bug was initially created as a clone of Bug #630827 +++

Created attachment 443406 [details]
policy file to make the customization work

Description of problem:
when user clone a RHEL6 VM, the newly created VM need to have some difference with the source VM. e.g the MAC, hostname, etc. Customization is the mechanism to automate this process. for the customization to work, the VM need to have vmware-tools installed, and the tools will get the customization config scripts from outside of the vm and put it into temp directory. and execute the configure scripts to do the real configuration, i.e. change the hostname, network configuration, timezone, etc.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. create a RHEL6 VM with SELinux enabled in vCenter.
2. clone and select the customization.
3. the customization will fail.
  
Actual results:


Expected results:


Additional info:
install module built from the attached vmwarecust.te can make the customization succeed (also with setsebool -P domain_kernel_load_modules on), but i donnot know if it is too loose.

--- Additional comment from dwalsh on 2010-09-07 12:05:02 EDT ---

Miroslav add

/etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 to corecommands.fc

Add

optional_policy(`
	shutdown_domtrans(vmware_host_t)
')

Dyno, I would prefer to see the audit.log that you used to create this policy.

--- Additional comment from hfu on 2010-09-08 08:48:12 EDT ---

Created attachment 445974 [details]
logs to create vmwarecust.te

log attached. the postfix is timestamp, only exception is 1138 should be between 1919 and 1953 because of the time setting error. 
vmarecust.te is created incrementally merging the new rules created from audit2allow -i audit.log.<timestamp>


toolsDeployPkg.log.* (/var/log/vmare-imc/toolsDeployPkg.log) is the customization log, which usually has the error message about what the customization failed to do. e.g.

INFO: Customizing Date&Time ...
DEBUG: opening file /tmp/.vmware/linux/deploy/scripts/tzdata/backward.
DEBUG: Command: ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
DEBUG: Result:
DEBUG: opening file for writing (/etc/sysconfig/clock).
ERROR: Fatal error occoured during customization !! Customization halted.
ERROR: Error : Permission denied:Error writing data to  file (/etc/sysconfig/clock). Permission denied at /tmp/.vmware/linux/deploy/scripts/Utils.pm line 299.

Comment 1 Miroslav Grepl 2010-10-07 12:24:34 UTC

Should be fixed in the latest F13 policy.

Note You need to log in before you can comment on or make changes to this bug.