VMWare config issue (Newbie)
Stephen Smalley
sds at epoch.ncsc.mil
Fri Jun 25 19:42:39 UTC 2004
On Fri, 2004-06-25 at 14:50, Earl wrote:
> All,
>
> I'm just learning so forgive the trivial nature of the
> question:
>
> FC2, Installed VMWare workstation 4.5x, unable to run
> configuration script, just "yum-ed" so I'm up to date,
> relableled, rebooted, still cannot run configuration
> script...
> [root at host root]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=root:sysadm_r:sysadm_t
> [root at host root]# /usr/bin/vmware-config.pl
> Can't open perl script "/usr/bin/vmware-config.pl":
> Permission denied
> [root at host root]# ls -Z /usr/bin/vmware-config.pl
> -r-xr-xr-x+ root root
> system_u:object_r:vmware_exec_t
> /usr/bin/vmware-config.pl
>
> Looks like a context problem to me but I am unsure
> what to change... my context, that of the script
> itself or modify context files and relabel?
>
> I have the docs, have been reading, but I have not
> been able to understand some of the genreal concepts.
>
> Any advice will be appreciated.
audit2allow -d -l | grep vmware_t should show you the relevant missing
allow statements from the policy. On FC2, you can then add them to your
policy by doing the following:
yum install policy-sources
cd /etc/security/selinux/src/policy
audit2allow -d -l | grep vmware_t >> domains/misc/local.te
make load
But I'm not clear that vmware-config.pl should be labeled vmware_exec_t
at all (vs. bin_t). What is the advantage of running the configuration
script in vmware_t vs. sysadm_t? There are no type transition rules for
vmware_t (except for /var/run files), so it doesn't help keep the
configuration in the right type.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list