Hello.
I've been using Fedora and SELinux for over a year now. And so far I've been able to succesfully confine some apps with SELinux context types, however now I seem to be facing a challenge since I can't get vmware process to work under vmware_t domain.
The process however does transition correctly toward vmware_t, but even when I have granted the proper permissions, vmware isn't finding the kernel modules, hence not starting.
Nonetheless I can sucessfully run vmware process under staff_t domain, of course by granting the proper permission through a SELinux module.
Specifically the permission needed to do this under staff_t is:
allow vmware_t modules_object_t:file { getatt read open map };
Which allows me to correctly run vmware within the staff_t domain.
This doesn't happen at all if I attempt to use either the vmware_t or the user_t domain, even though audit2allow doesn't reveal any AVC denial preventing any of these domains from mapping the modules_object_t domain. I've also gone through audit.log and there's nothing preventing the mapping or access to that particular domain.
Currenlty I'm usin the Kernel 4.11.8 for Fedora 27 and vmware works fine except when I try to run the process under vmware_t.
I'm lost at this point. And I'm sure this is a SELinux issue, since if I set it to permissive vmware runs properly, but again, and with the module in place granting access, audit2allow doesn't reveal anything.
I will greatly appreciatte any help or advice in this matter.
Best Regards.
James.
I've been using Fedora and SELinux for over a year now. And so far I've been able to succesfully confine some apps with SELinux context types, however now I seem to be facing a challenge since I can't get vmware process to work under vmware_t domain.
The process however does transition correctly toward vmware_t, but even when I have granted the proper permissions, vmware isn't finding the kernel modules, hence not starting.
Nonetheless I can sucessfully run vmware process under staff_t domain, of course by granting the proper permission through a SELinux module.
Specifically the permission needed to do this under staff_t is:
allow vmware_t modules_object_t:file { getatt read open map };
Which allows me to correctly run vmware within the staff_t domain.
This doesn't happen at all if I attempt to use either the vmware_t or the user_t domain, even though audit2allow doesn't reveal any AVC denial preventing any of these domains from mapping the modules_object_t domain. I've also gone through audit.log and there's nothing preventing the mapping or access to that particular domain.
Currenlty I'm usin the Kernel 4.11.8 for Fedora 27 and vmware works fine except when I try to run the process under vmware_t.
I'm lost at this point. And I'm sure this is a SELinux issue, since if I set it to permissive vmware runs properly, but again, and with the module in place granting access, audit2allow doesn't reveal anything.
I will greatly appreciatte any help or advice in this matter.
Best Regards.
James.
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
