vmware and eclipse avc denied in selinux-policy-targeted-3.0.2-3.fc8.noarch

Thu Jul 12 12:51:31 UTC 2007

Ken YANG wrote:
> Tom London wrote:
>   
>> On 7/10/07, Ken YANG <spng.yang at gmail.com> wrote:
>>     
>>> hi,
>>>
>>> i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch
>>>
>>> there are some avc denied about vmware and eclipse:
>>>
>>> 1 vmware config
>>>
>>> after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch,
>>> i find my vmware must be re-configed every time i run it.
>>>
>>> but when i run vmware-config.pl, some avc denied messages occured:
>>>
>>> avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin"
>>> dev=00:10
>>> egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0
>>> inode=230929 item=0 items=1 mode=020600 name="vmnet0"
>>> obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0"
>>> pid=22164
>>> rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
>>> subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
>>> tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
>>>
>>> ......
>>>
>>> other avc errors are similar, it seemed that /dev/vmnet* are mislabeled,
>>> they were all labeled device_t, not vmware_device_t.
>>>
>>> IIRC, i installed and configured vmware 6 well, before the merge of
>>> targeted and strict policy, i.e. <selinux-policy-targeted-3.0
>>>
>>> i had compared the vmware* between these two versions policy, i had
>>> not find any changes which will result to these errors.
>>>
>>> i also find the /dev in my system is tmpfs, so the file on this fs
>>> should be labeled using fs_use_trans.
>>>
>>> I want to add type_transition rules to verify my guess, but i don't know
>>> the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system
>>>
>>>
>>> is there something i missed?
>>>
>>>       
>> I have VMWare 6.0 running in Rawhide.
>>
>> I believe it is with 'stock' labeling, but I made the following change
>> to /usr/lib/vmware/net-services.sh to correct the labeling.  I'm not
>> sure if there is a better way (e.g., in udev):
>>
>> [root at localhost vmware]# diff -u net-services.sh.old net-services.sh
>> --- net-services.sh.old 2007-05-01 21:54:30.000000000 -0700
>> +++ net-services.sh     2007-07-10 06:55:11.000000000 -0700
>> @@ -616,6 +616,11 @@
>>    if [ ! -e "$vDevice" ]; then
>>       mknod -m 600 "$vDevice" c 119 "$vHubNr"
>>    fi
>> +   retval=$?
>> +   if [ "`isSELinuxEnabled`" = 'yes' ]; then
>> +      restorecon "$vDevice"
>> +   fi
>> +   return $retval
>> }
>>
>> # Create a virtual host ethernet interface and connect it to a virtual
>>
>>     
>
> thanks, tom
>
> "file_context" have right label about /dev/vmnet*, so we can use
> restorecon to fix this error.
>
> i think this is vmware bug, which does not use SELinux API.
>
> but i wonder why vmware work well in selinux-policy-targeted-2.6.5-2.fc8
> and fail in new 3.0 policy(merged)?
>
> i am learning the differences between 2.6.5 and 3.0 policy, hoping
> to find some hints
>
>   
We were not using vmware policy in fc7.  So it ran unconfined.  Now we 
are attempting to confine it.
>   
>> In addition to the above, there seems to be an issue with vmware's use
>> of the 'ldd' command (e.g., see:
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246762).
>>
>> Setting 'allow_execmem' or 'allow_execstack' via 'setsebool' seems to
>> work around this issue for me.
>>     
>
> yes, to run vmware, "allow_execstack=1" is enough:
>
> -(yangshao at Nerazzurri:pts/1)----------------------------------------(/workbench/rpmbuild/SRPMS)-(24/24)-
> -(:16:11:$)-> getsebool -a|grep allow_exec
> allow_execheap --> off
> allow_execmem --> off
> allow_execmod --> off
> allow_execstack --> on
>
> BTW, i have posted to this bug, you should receive mail notification
> about this bug.
>
>   
>> tom
>>     
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>