On Tue, 6 Apr 2004 21:19, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > > Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc: > > denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2 > > ino=1389922 scontext=root:system_r:dhcpc_t > > tcontext=system_u:object_r:home_root_t tclass=dir > > Added policy to allow this , but not sure what it is trying todo. Could > you try it in non-enforcing mode and grab the avc messages. Looks like /var/lib is mis-labeled as home_root_t. Relabeling the file system is probably the best thing to do. > > 5) This is vmware from the VMWare WS 4.5.1 service startup. The > > issues are ... complicated, numerous, and scary looking. > > > > Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc: > > denied { search } for pid=1909 exe=/usr/bin/vmnet-netifup name=net > > dev= ino=344 scontext=system_u:system_r:vmware_t > > tcontext=system_u:object_r:sysfs_t tclass=dir > > Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc: > > denied { search } for pid=1910 exe=/usr/bin/vmnet-netifup name=net > > dev= ino=344 scontext=system_u:system_r:vmware_t > > tcontext=system_u:object_r:sysfs_t tclass=dir > > Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc: > > denied { node_bind } for pid=1931 exe=/usr/bin/vmnet-natd > > scontext=system_u:system_r:vmware_t > > tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket > > Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc: > > denied { create } for pid=1931 exe=/usr/bin/vmnet-natd > > name=vmnat.1931 scontext=system_u:system_r:vmware_t > > tcontext=system_u:object_r:var_run_t tclass=sock_file The problem here is that we don't have any distinction between vmware processes started by the user and the vmware daemons. Probably the best thing to do is to entirely re-write the vmware policy to fix this and the other problems. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page