Bug 789543 - SELinux is preventing tpvmgp (cupsd_t) "execute_no_trans" to /usr/lib/vmware-tools/bin64/appLoader (lib_t)
Summary: SELinux is preventing tpvmgp (cupsd_t) "execute_no_trans" to /usr/lib/vmware-...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cups
Version: 5.9
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Tim Waugh
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-11 07:03 UTC by olivier.minchin
Modified: 2012-02-13 13:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-13 13:47:16 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description olivier.minchin 2012-02-11 07:03:12 UTC 
Summary:

SELinux is preventing tpvmgp (cupsd_t) "execute_no_trans" to
/usr/lib/vmware-tools/bin64/appLoader (lib_t).

Detailed Description:

SELinux denied access requested by tpvmgp. It is not expected that this access
is required by tpvmgp and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/lib/vmware-tools/bin64/appLoader,

restorecon -v '/usr/lib/vmware-tools/bin64/appLoader'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Context                root:object_r:lib_t
Target Objects                /usr/lib/vmware-tools/bin64/appLoader [ file ]
Source                        tpvmlp
Source Path                   /usr/lib/cups/backend/tpvmlp
Port                          <Unknown>
Host                          lnx-minchin
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-316.el5_7.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     lnx-minchin
Platform                      Linux lnx-minchin 2.6.18-274.18.1.el5 #1 SMP Fri
                              Jan 20 15:11:18 EST 2012 x86_64 x86_64
Alert Count                   218
First Seen                    Sat Feb 11 07:31:10 2012
Last Seen                     Sat Feb 11 08:01:06 2012
Local ID                      dffaa626-a92b-42ec-a824-b52c49388916
Line Numbers                  

Raw Audit Messages            

host=lnx-minchin type=AVC msg=audit(1328943666.63:242): avc:  denied  { execute_no_trans } for  pid=8887 comm="tpvmgp" path="/usr/lib/vmware-tools/bin64/appLoader" dev=dm-0 ino=1377657 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=root:object_r:lib_t:s0 tclass=file

host=lnx-minchin type=SYSCALL msg=audit(1328943666.63:242): arch=c000003e syscall=59 success=no exit=-13 a0=1c300030 a1=1c300680 a2=7fffa8a52288 a3=7fffa8a51050 items=0 ppid=8876 pid=8887 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="tpvmgp" exe="/usr/lib/cups/backend/tpvmgp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Tim Waugh 2012-02-13 13:47:16 UTC 
This looks like a VMware bug (see e.g. bug #488591, bug #585711, etc).
Note You need to log in before you can comment on or make changes to this bug.