VMware + SELinux

Efthym efthym at gmx.net
Tue Apr 20 21:50:56 UTC 2004 

I saw the additions to file_contexts in policy 1.11.2-9 and thought I give 
it another try ;)

With enforce=1, vmware-config.pl produces
[root at Purgatory log]# vmware-config.pl
Can't open perl script "/usr/bin/vmware-config.pl": Permission denied

Apr 20 17:36:08 Purgatory kernel: audit(1082496968.198:0): avc:  denied  
{ read } for  pid=4273 exe=/usr/bin/perl name=urandom dev=hda2 ino=596039 
scontext=root:system_r:vmware_t 
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Apr 20 17:36:08 Purgatory kernel: audit(1082496968.199:0): avc:  denied  
{ search } for  pid=4273 exe=/usr/bin/perl name=bin dev=hda2 ino=1126081 
scontext=root:system_r:vmware_t tcontext=system_u:object_r:bin_t tclass=dir


With enforce=0, it vmware-config.pl works ok and also starts the 
VMservices alright.
So this works ! (see attached file of /var/log/messages)

(But ..) the problem again occurs if there is a change in the enforcing 
mode (either with a restart or setenforce=1).

[root at Purgatory log]# service vmware stop

Apr 20 17:44:15 Purgatory kernel: audit(1082497454.955:0): avc:  denied  
{ search } for  pid=5411 comm=vmnet-netifup name=vmnet1 dev= ino=25998 
scontext=root:system_r:vmware_t tcontext=system_u:object_r:sysfs_t 
tclass=dir
Apr 20 17:44:16 Purgatory kernel: audit(1082497456.081:0): avc:  denied  
{ unlink } for  pid=5136 exe=/usr/bin/vmnet-natd name=vmnat.5136 dev=hda2 
ino=2105474 scontext=root:system_r:vmware_t 
tcontext=root:object_r:var_run_t tclass=sock_file

[root at Purgatory log]# setenforce 1
[root at Purgatory log]# service vmware start
Starting VMware services:
    Virtual machine monitor                                 [  OK  ]
    Virtual ethernet                                        [  OK  ]
    Bridged networking on /dev/vmnet0                       [FAILED]
    Host-only networking on /dev/vmnet1 (background)        [  OK  ]
    Host-only networking on /dev/vmnet8 (background)        [  OK  ]
    NAT networking on /dev/vmnet8                           [FAILED]

Apr 20 17:45:46 Purgatory kernel: audit(1082497546.084:0): avc:  granted  
{ setenforce } for  pid=5869 exe=/usr/bin/setenforce 
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t 
tclass=security
Apr 20 17:46:00 Purgatory kernel: vmmon: module license 'unspecified' 
taints kernel.
Apr 20 17:46:01 Purgatory kernel: parport0: PC-style at 0x3bc (0x7bc) 
[PCSPP,TRISTATE]
Apr 20 17:46:01 Purgatory kernel: parport0: irq 7 detected
Apr 20 17:46:01 Purgatory kernel: vmnet: module license 'unspecified' 
taints kernel.
Apr 20 17:46:01 Purgatory kernel: audit(1082497561.203:0): avc:  denied  
{ read write } for  pid=5911 exe=/usr/bin/vmnet-bridge name=vmnet0 
dev=hda2 ino=588039 scontext=root:system_r:vmware_t 
tcontext=root:object_r:device_t tclass=chr_file
Apr 20 17:46:01 Purgatory kernel: audit(1082497561.454:0): avc:  denied  
{ read write } for  pid=5933 exe=/usr/bin/vmnet-natd name=vmnet8 dev=hda2 
ino=587693 scontext=root:system_r:vmware_t tcontext=root:object_r:device_t 
tclass=chr_file
Apr 20 17:46:11 Purgatory kernel: audit(1082497571.268:0): avc:  denied  
{ read write } for  pid=6190 exe=/usr/bin/vmnet-netifup name=vmnet1 
dev=hda2 ino=587685 scontext=root:system_r:vmware_t 
tcontext=root:object_r:device_t tclass=chr_fileApr 20 17:46:11 Purgatory 
VMware[init]: /dev/vmnet1: Permission denied
Apr 20 17:46:11 Purgatory kernel: audit(1082497571.354:0): avc:  denied  
{ read write } for  pid=6191 exe=/usr/bin/vmnet-netifup name=vmnet8 
dev=hda2 ino=587693 scontext=root:system_r:vmware_t 
tcontext=root:object_r:device_t tclass=chr_fileApr 20 17:46:11 Purgatory 
VMware[init]: /dev/vmnet8: Permission denied

If I restart (with kernel parameter enforcing=1)

[root at Purgatory log]# service vmware start
VMware Workstation is installed, but it has not been (correctly) configured
for the running kernel. To (re-)configure it, invoke the
following command: /usr/bin/vmware-config.pl.

And were back to square 1 !
Hope all this helps,it took a while to get all the messages off ;)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: vmware.log
Type: application/octet-stream
Size: 36963 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040420/7ed5c471/attachment.obj>

More information about the fedora-selinux-list mailing list