VMware + SELinux
Efthym
efthym at gmx.net
Tue Apr 20 21:50:56 UTC 2004
I saw the additions to file_contexts in policy 1.11.2-9 and thought I give
it another try ;)
With enforce=1, vmware-config.pl produces
[root at Purgatory log]# vmware-config.pl
Can't open perl script "/usr/bin/vmware-config.pl": Permission denied
Apr 20 17:36:08 Purgatory kernel: audit(1082496968.198:0): avc: denied
{ read } for pid=4273 exe=/usr/bin/perl name=urandom dev=hda2 ino=596039
scontext=root:system_r:vmware_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Apr 20 17:36:08 Purgatory kernel: audit(1082496968.199:0): avc: denied
{ search } for pid=4273 exe=/usr/bin/perl name=bin dev=hda2 ino=1126081
scontext=root:system_r:vmware_t tcontext=system_u:object_r:bin_t tclass=dir
With enforce=0, it vmware-config.pl works ok and also starts the
VMservices alright.
So this works ! (see attached file of /var/log/messages)
(But ..) the problem again occurs if there is a change in the enforcing
mode (either with a restart or setenforce=1).
[root at Purgatory log]# service vmware stop
Apr 20 17:44:15 Purgatory kernel: audit(1082497454.955:0): avc: denied
{ search } for pid=5411 comm=vmnet-netifup name=vmnet1 dev= ino=25998
scontext=root:system_r:vmware_t tcontext=system_u:object_r:sysfs_t
tclass=dir
Apr 20 17:44:16 Purgatory kernel: audit(1082497456.081:0): avc: denied
{ unlink } for pid=5136 exe=/usr/bin/vmnet-natd name=vmnat.5136 dev=hda2
ino=2105474 scontext=root:system_r:vmware_t
tcontext=root:object_r:var_run_t tclass=sock_file
[root at Purgatory log]# setenforce 1
[root at Purgatory log]# service vmware start
Starting VMware services:
Virtual machine monitor [ OK ]
Virtual ethernet [ OK ]
Bridged networking on /dev/vmnet0 [FAILED]
Host-only networking on /dev/vmnet1 (background) [ OK ]
Host-only networking on /dev/vmnet8 (background) [ OK ]
NAT networking on /dev/vmnet8 [FAILED]
Apr 20 17:45:46 Purgatory kernel: audit(1082497546.084:0): avc: granted
{ setenforce } for pid=5869 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 20 17:46:00 Purgatory kernel: vmmon: module license 'unspecified'
taints kernel.
Apr 20 17:46:01 Purgatory kernel: parport0: PC-style at 0x3bc (0x7bc)
[PCSPP,TRISTATE]
Apr 20 17:46:01 Purgatory kernel: parport0: irq 7 detected
Apr 20 17:46:01 Purgatory kernel: vmnet: module license 'unspecified'
taints kernel.
Apr 20 17:46:01 Purgatory kernel: audit(1082497561.203:0): avc: denied
{ read write } for pid=5911 exe=/usr/bin/vmnet-bridge name=vmnet0
dev=hda2 ino=588039 scontext=root:system_r:vmware_t
tcontext=root:object_r:device_t tclass=chr_file
Apr 20 17:46:01 Purgatory kernel: audit(1082497561.454:0): avc: denied
{ read write } for pid=5933 exe=/usr/bin/vmnet-natd name=vmnet8 dev=hda2
ino=587693 scontext=root:system_r:vmware_t tcontext=root:object_r:device_t
tclass=chr_file
Apr 20 17:46:11 Purgatory kernel: audit(1082497571.268:0): avc: denied
{ read write } for pid=6190 exe=/usr/bin/vmnet-netifup name=vmnet1
dev=hda2 ino=587685 scontext=root:system_r:vmware_t
tcontext=root:object_r:device_t tclass=chr_fileApr 20 17:46:11 Purgatory
VMware[init]: /dev/vmnet1: Permission denied
Apr 20 17:46:11 Purgatory kernel: audit(1082497571.354:0): avc: denied
{ read write } for pid=6191 exe=/usr/bin/vmnet-netifup name=vmnet8
dev=hda2 ino=587693 scontext=root:system_r:vmware_t
tcontext=root:object_r:device_t tclass=chr_fileApr 20 17:46:11 Purgatory
VMware[init]: /dev/vmnet8: Permission denied
If I restart (with kernel parameter enforcing=1)
[root at Purgatory log]# service vmware start
VMware Workstation is installed, but it has not been (correctly) configured
for the running kernel. To (re-)configure it, invoke the
following command: /usr/bin/vmware-config.pl.
And were back to square 1 !
Hope all this helps,it took a while to get all the messages off ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vmware.log
Type: application/octet-stream
Size: 36963 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040420/7ed5c471/attachment.obj>
More information about the fedora-selinux-list
mailing list