Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1059139 - vmtoolsd user daemon cannot be executed by staff_u
Summary: vmtoolsd user daemon cannot be executed by staff_u
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-29 09:27 UTC by Milos Malik
Modified: 2015-11-02 13:57 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.12.1-145.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 12:00:20 UTC


Attachments (Terms of Use)

Description Milos Malik 2014-01-29 09:27:34 UTC
Description of problem:
 * this bug is very similar to bz#1058116, but uses another confined user

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.12.1-121.el7.noarch
selinux-policy-devel-3.12.1-121.el7.noarch
selinux-policy-targeted-3.12.1-121.el7.noarch
selinux-policy-sandbox-3.12.1-121.el7.noarch
selinux-policy-doc-3.12.1-121.el7.noarch
selinux-policy-minimum-3.12.1-121.el7.noarch
selinux-policy-3.12.1-121.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. create a staff_u user (useradd -Z staff_u ...)
2. log in as that user (via ssh or console)
3. run /usr/bin/vmware-user-suid-wrapper manually
$ id -Z ; /usr/bin/vmware-user-suid-wrapper ; sleep 1 ; exit
staff_u:staff_r:staff_t:s0-s0:c0.c1023
vmware-user: could not open /proc/fs/vmblock/dev
vmware-user: could not execute /usr/bin/vmtoolsd: Permission denied
logout

Actual results (enforcing mode, after semodule -DB):
----
time->Wed Jan 29 10:24:31 2014
type=PATH msg=audit(1390987471.071:1694): item=0 name="/usr/bin/vmtoolsd" inode=12833611 dev=fd:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:vmtools_exec_t:s0 objtype=NORMAL
type=CWD msg=audit(1390987471.071:1694):  cwd="/home/user13940"
type=SYSCALL msg=audit(1390987471.071:1694): arch=c000003e syscall=59 success=no exit=-13 a0=7fff648755b0 a1=7fff64875570 a2=7fff648766e8 a3=14 items=1 ppid=1 pid=13623 auid=1006 uid=1006 gid=1006 euid=1006 suid=1006 fsuid=1006 egid=1006 sgid=1006 fsgid=1006 tty=pts2 ses=43 comm="vmware-user-sui" exe="/usr/bin/vmware-user-suid-wrapper" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1390987471.071:1694): avc:  denied  { execute } for  pid=13623 comm="vmware-user-sui" name="vmtoolsd" dev="vda3" ino=12833611 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:vmtools_exec_t:s0 tclass=file
----

Expected results:
 * no AVCs

Comment 1 Miroslav Grepl 2014-01-29 10:08:45 UTC
Milos,
if you add a transition how does it look? Could you also test it for user_u?

Comment 3 Miroslav Grepl 2014-02-18 12:58:19 UTC
commit 61bc70fc1f6c167e8ea4366ef7c3564b5d429102
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Feb 18 13:46:08 2014 +0100

    Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.

Comment 6 Miroslav Grepl 2014-02-20 13:58:48 UTC
Nice catch.

diff --git a/vmtools.te b/vmtools.te
index b881c53..c47cb0e 100644
--- a/vmtools.te
+++ b/vmtools.te
@@ -17,7 +17,7 @@ role vmtools_helper_roles types vmtools_t;
 type vmtools_helper_t;
 type vmtools_helper_exec_t;
 application_domain(vmtools_helper_t, vmtools_helper_exec_t)
-role vmtools_helper_roles types vmtools_t;
+role vmtools_helper_roles types vmtools_helper_t;

Comment 10 Ludek Smid 2014-06-13 12:00:20 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.