vmware and eclipse avc denied in selinux-policy-targeted-3.0.2-3.fc8.noarch

Daniel J Walsh dwalsh at redhat.com
Thu Jul 12 12:46:10 UTC 2007 

Ken YANG wrote:
> hi,
>
> i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch
>
> there are some avc denied about vmware and eclipse:
>
> 1 vmware config
>
> after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch,
> i find my vmware must be re-configed every time i run it.
>
> but when i run vmware-config.pl, some avc denied messages occured:
>
> avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin" dev=00:10
> egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0
> inode=230929 item=0 items=1 mode=020600 name="vmnet0"
> obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0" pid=22164
> rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
> subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
> tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
>
> ......
>
> other avc errors are similar, it seemed that /dev/vmnet* are mislabeled,
> they were all labeled device_t, not vmware_device_t.
>
> IIRC, i installed and configured vmware 6 well, before the merge of
> targeted and strict policy, i.e. <selinux-policy-targeted-3.0
>
> i had compared the vmware* between these two versions policy, i had
> not find any changes which will result to these errors.
>
> i also find the /dev in my system is tmpfs, so the file on this fs
> should be labeled using fs_use_trans.
>
> I want to add type_transition rules to verify my guess, but i don't know
> the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system
>
>
> is there something i missed?
>
>   
Who is creating the device?  I don't believe this device is being 
created by udev, so it is getting the parent directories label. 
(device_t)  If the device is getting created in an init script you 
should add a restorecon after the mknod.

> 2 Eclipse avc error
>
> when i launch eclipse(SLIDE), i got avc error:
>
> avc: denied { unix_read, unix_write } for comm="X" egid=0 euid=0
> exe="/usr/bin/Xorg" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2880
> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm
> tcontext=system_u:system_r:java_t:s0 tty=tty7 uid=0
>
>   
This might affect performance.  I will contact one of our X Gurus to check.
> i think this should be added in policy as "dontaudit", because it seemed
> that it dont influence my use of eclipse
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list