Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1598346 - Open-vm-tools suspend doesn't work properly with SELinux enabled
Summary: Open-vm-tools suspend doesn't work properly with SELinux enabled
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: open-vm-tools
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Ravindra Kumar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-05 07:46 UTC by Thomas Burdick
Modified: 2019-03-20 10:13 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Thomas Burdick 2018-07-05 07:46:59 UTC
Description of problem: Suspending the VM requires "sudo setenforce 0". If SELinux is left enabled, suspend fails.


Version-Release number of selected component (if applicable): open-vm-tools-10.2.5-2


How reproducible: Reproducable


Steps to Reproduce:
1. Enable SELinux "sudo setenforce 1"
2. Suspend VM. (fails)

Actual results: VMWare attempts to suspend the VM, and gives up after some time.


Expected results: The VM should suspend, as it does without open-vm-tools enabled, or with SELinux disabled.


Additional info: This is a fully up-to-date F28 installation. I couldn't find anything relevant in the syslog, but I'm not super familiar with the current logging setup. If anyone would like more information, just tell me where to look.

Comment 1 Hanno Heinrichs 2018-07-05 18:51:22 UTC
This might be related to bug reported here: https://github.com/vmware/open-vm-tools/issues/258

With SELinux set to "enforcing", can you spot a message similar to the following in your journalctl?

Jun 26 10:00:42 xxxxxx audit[807]: USER_AVC pid=807 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.77 spid=1026 tpid=2556 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:vmtools_unconfined_t:s0 tclass=dbus permissive=0
                                    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

If so, does the proposed workaround from the GitHub issue work for you (while SELinux is still set to "enforcing")?

Comment 2 Alexander Moosbrugger 2019-01-15 08:21:47 UTC
I had the same problem with a Fedora 29 VM.
The proposed workaround from the GitHub issues works for me.


Note You need to log in before you can comment on or make changes to this bug.