vmware and eclipse avc denied in selinux-policy-targeted-3.0.2-3.fc8.noarch

Wed Jul 11 08:15:06 UTC 2007

Tom London wrote:
> On 7/10/07, Ken YANG <spng.yang at gmail.com> wrote:
>>
>> hi,
>>
>> i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch
>>
>> there are some avc denied about vmware and eclipse:
>>
>> 1 vmware config
>>
>> after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch,
>> i find my vmware must be re-configed every time i run it.
>>
>> but when i run vmware-config.pl, some avc denied messages occured:
>>
>> avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin"
>> dev=00:10
>> egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0
>> inode=230929 item=0 items=1 mode=020600 name="vmnet0"
>> obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0"
>> pid=22164
>> rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
>> subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
>> tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
>>
>> ......
>>
>> other avc errors are similar, it seemed that /dev/vmnet* are mislabeled,
>> they were all labeled device_t, not vmware_device_t.
>>
>> IIRC, i installed and configured vmware 6 well, before the merge of
>> targeted and strict policy, i.e. <selinux-policy-targeted-3.0
>>
>> i had compared the vmware* between these two versions policy, i had
>> not find any changes which will result to these errors.
>>
>> i also find the /dev in my system is tmpfs, so the file on this fs
>> should be labeled using fs_use_trans.
>>
>> I want to add type_transition rules to verify my guess, but i don't know
>> the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system
>>
>>
>> is there something i missed?
>>
> I have VMWare 6.0 running in Rawhide.
> 
> I believe it is with 'stock' labeling, but I made the following change
> to /usr/lib/vmware/net-services.sh to correct the labeling.  I'm not
> sure if there is a better way (e.g., in udev):
> 
> [root at localhost vmware]# diff -u net-services.sh.old net-services.sh
> --- net-services.sh.old 2007-05-01 21:54:30.000000000 -0700
> +++ net-services.sh     2007-07-10 06:55:11.000000000 -0700
> @@ -616,6 +616,11 @@
>    if [ ! -e "$vDevice" ]; then
>       mknod -m 600 "$vDevice" c 119 "$vHubNr"
>    fi
> +   retval=$?
> +   if [ "`isSELinuxEnabled`" = 'yes' ]; then
> +      restorecon "$vDevice"
> +   fi
> +   return $retval
> }
> 
> # Create a virtual host ethernet interface and connect it to a virtual
> 

thanks, tom

"file_context" have right label about /dev/vmnet*, so we can use
restorecon to fix this error.

i think this is vmware bug, which does not use SELinux API.

but i wonder why vmware work well in selinux-policy-targeted-2.6.5-2.fc8
and fail in new 3.0 policy(merged)?

i am learning the differences between 2.6.5 and 3.0 policy, hoping
to find some hints

> 
> In addition to the above, there seems to be an issue with vmware's use
> of the 'ldd' command (e.g., see:
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246762).
> 
> Setting 'allow_execmem' or 'allow_execstack' via 'setsebool' seems to
> work around this issue for me.

yes, to run vmware, "allow_execstack=1" is enough:

-(yangshao at Nerazzurri:pts/1)----------------------------------------(/workbench/rpmbuild/SRPMS)-(24/24)-
-(:16:11:$)-> getsebool -a|grep allow_exec
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> on

BTW, i have posted to this bug, you should receive mail notification
about this bug.

> 
> tom