Error - SELinux is Preventing Vmtoolsd From Entrypoint Access On the File /usr/bin/bash



  • On a Fedora 29 server running on ESXi, I was getting this error.

    
    SELinux is preventing vmtoolsd from entrypoint access on the file /usr/bin/bash.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that vmtoolsd should be allowed entrypoint access on the bash file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'vmtoolsd' --raw | audit2allow -M my-vmtoolsd
    # semodule -X 300 -i my-vmtoolsd.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:vmtools_unconfined_t:s0
    Target Context                system_u:object_r:shell_exec_t:s0
    Target Objects                /usr/bin/bash [ file ]
    Source                        vmtoolsd
    Source Path                   vmtoolsd
    Port                          <Unknown>
    Host                          wz00.domain.local
    Source RPM Packages
    Target RPM Packages           bash-4.4.23-6.fc29.x86_64
    Policy RPM                    selinux-policy-3.14.2-51.fc29.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     wz00.domain.local
    Platform                      Linux wz00.domain.local 4.20.16-200.fc29.x86_64 #1
                                  SMP Thu Mar 14 15:10:22 UTC 2019 x86_64 x86_64
    Alert Count                   3
    First Seen                    2019-03-19 15:15:02 PDT
    Last Seen                     2019-03-19 16:58:33 PDT
    Local ID                      13a8d13b-300d-4729-94c4-d5c83a6f4a56
    
    Raw Audit Messages
    type=AVC msg=audit(1553039913.263:102): avc:  denied  { entrypoint } for  pid=931 comm="vmtoolsd" path="/usr/bin/bash" dev="dm-0" ino=268635479 scontext=system_u:system_r:vmtools_unconfined_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
    
    
    Hash: vmtoolsd,vmtools_unconfined_t,shell_exec_t,file,entrypoint
    
    

    I ran the commands that it suggested to allow this access "for now"

    # ausearch -c 'vmtoolsd' --raw | audit2allow -M my-vmtoolsd
    # semodule -X 300 -i my-vmtoolsd.pp
    

    My question - Is this permanent? If not, how can I make this permanent?