vmware beta....needs mount/unmount?

Daniel J Walsh dwalsh at redhat.com
Tue Jan 2 17:40:09 UTC 2007


Tom London wrote:
> Running latest rawhide, targeted/enforcing.
>
> I'm testing the latest vmware beta (6?).
>
> Seems to want to mount on /proc/fs/vmware-block/mountPoint:
>    none on /proc/fs/vmware-block/mountPoint type vmware-block (rw)
>
> This produces the following AVC during boot:
>
> type=AVC msg=audit(1167500297.368:6): avc:  denied  { mount } for
> pid=2225 comm="mount" name="/" dev=vmware-block ino=1
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
> type=SYSCALL msg=audit(1167500297.368:6): arch=40000003 syscall=21
> success=yes exit=0 a0=937cdd8 a1=937ce00 a2=937cde8 a3=c0ed0000
> items=0 ppid=2212 pid=2225 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount"
> subj=system_u:system_r:mount_t:s0 key=(null)
>
> I believe this is the associated AVC from 'unmount' during shutdown:
>
> type=AVC msg=audit(1167502331.621:34): avc:  denied  { unmount } for
> pid=4269 comm="umount" scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
> type=SYSCALL msg=audit(1167502331.621:34): arch=40000003 syscall=22
> success=yes exit=0 a0=9f20120 a1=bffc51f0 a2=9f20148 a3=9f20121
> items=0 ppid=4268 pid=4269 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount"
> exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)
>
> This appears to be the script from /etc/init.d/vmware:
>
> # Start the file system blocking driver
> vmware_start_vmblock() {
>   mkdir -p /tmp/VMwareDnD && chmod 777 /tmp/VMwareDnD
>   vmware_exec 'Loading module' vmware_load_module $vmblock
>   exitcode=`expr $exitcode + $?`
>   mount -t vmware-block none /proc/fs/vmware-block/mountPoint
> }
>
> # Stop the file system blocking driver
> vmware_stop_vmblock() {
>   umount /proc/fs/vmware-block/mountPoint
>   vmware_unload_module $vmblock
> }
>
> Right way to fix?
>
> tom

This looks like we need a genfscon for a vmware-block type file system.

Perhaps adding these lines and then some interface to allow vmware to 
access the filesystem, would work?

#
# vmwarefs_t is the type for vmware file systems
# filesystems and their files.
#
type vmwarefs_t;
fs_noxattr_type(vmwarefs_t)
allow vmwarefs_t fs_t:filesystem associate;
genfscon vmware-block / gen_context(system_u:object_r:vmwarefs_t,s0)





More information about the fedora-selinux-list mailing list