VMware Cloud Community
tomuxi
Enthusiast
Enthusiast
‎02-28-2019 01:52 AM
Jump to solution

VMware Converter Standalone drops /usr/bin/ping SELinux capabilities

Hi,

It seems that the converter drops proper SELinux-capabilities from /usr/bin/ping during conversion. Because of this, normal user's will not anymore have rights to use ping since it opens a RAW socket and that is guarded by SELinux (when enforced). The issue can be fixed manually either by giving back the proper capabilities to /usr/bin/ping or by reinstalling iputils. Anyhow it would be nice if Converter preserved SELinux-capabilities properly during conversion.

Regards,

-Tom

1 Solution

Accepted Solutions
tomuxi
Enthusiast
Enthusiast
‎04-09-2019 02:30 AM
Jump to solution

A more thorough workaround for now:

Before conversion in source machine:

     find / -maxdepth 1 -type d | egrep -v '^/(dev|proc|sys|tmp|run|boot|)$' | xargs getcap -r | gzip > fs.cap.gz

After conversion in resulted machine:

     zcat fs.cap.gz | awk -F= '{print $2 " " $1}' | xargs -n 2 setcap

View solution in original post

0 Kudos
2 Replies
patanassov
VMware Employee
VMware Employee
‎02-28-2019 05:18 AM
Jump to solution

Thank you for the input.

I have logged a feature request for that.

Regards,

Plamen

tomuxi
Enthusiast
Enthusiast
‎04-09-2019 02:30 AM
Jump to solution

A more thorough workaround for now:

Before conversion in source machine:

     find / -maxdepth 1 -type d | egrep -v '^/(dev|proc|sys|tmp|run|boot|)$' | xargs getcap -r | gzip > fs.cap.gz

After conversion in resulted machine:

     zcat fs.cap.gz | awk -F= '{print $2 " " $1}' | xargs -n 2 setcap

0 Kudos