Re: VMware + SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I saw the additions to file_contexts in policy 1.11.2-9 and thought I give it another try ;)

With enforce=1, vmware-config.pl produces
[root@Purgatory log]# vmware-config.pl
Can't open perl script "/usr/bin/vmware-config.pl": Permission denied

Apr 20 17:36:08 Purgatory kernel: audit(1082496968.198:0): avc: denied { read } for pid=4273 exe=/usr/bin/perl name=urandom dev=hda2 ino=596039 scontext=root:system_r:vmware_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Apr 20 17:36:08 Purgatory kernel: audit(1082496968.199:0): avc: denied { search } for pid=4273 exe=/usr/bin/perl name=bin dev=hda2 ino=1126081 scontext=root:system_r:vmware_t tcontext=system_u:object_r:bin_t tclass=dir



With enforce=0, it vmware-config.pl works ok and also starts the VMservices alright.
So this works ! (see attached file of /var/log/messages)


(But ..) the problem again occurs if there is a change in the enforcing mode (either with a restart or setenforce=1).

[root@Purgatory log]# service vmware stop

Apr 20 17:44:15 Purgatory kernel: audit(1082497454.955:0): avc: denied { search } for pid=5411 comm=vmnet-netifup name=vmnet1 dev= ino=25998 scontext=root:system_r:vmware_t tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 20 17:44:16 Purgatory kernel: audit(1082497456.081:0): avc: denied { unlink } for pid=5136 exe=/usr/bin/vmnet-natd name=vmnat.5136 dev=hda2 ino=2105474 scontext=root:system_r:vmware_t tcontext=root:object_r:var_run_t tclass=sock_file


[root@Purgatory log]# setenforce 1
[root@Purgatory log]# service vmware start
Starting VMware services:
   Virtual machine monitor                                 [  OK  ]
   Virtual ethernet                                        [  OK  ]
   Bridged networking on /dev/vmnet0                       [FAILED]
   Host-only networking on /dev/vmnet1 (background)        [  OK  ]
   Host-only networking on /dev/vmnet8 (background)        [  OK  ]
   NAT networking on /dev/vmnet8                           [FAILED]

Apr 20 17:45:46 Purgatory kernel: audit(1082497546.084:0): avc: granted { setenforce } for pid=5869 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security
Apr 20 17:46:00 Purgatory kernel: vmmon: module license 'unspecified' taints kernel.
Apr 20 17:46:01 Purgatory kernel: parport0: PC-style at 0x3bc (0x7bc) [PCSPP,TRISTATE]
Apr 20 17:46:01 Purgatory kernel: parport0: irq 7 detected
Apr 20 17:46:01 Purgatory kernel: vmnet: module license 'unspecified' taints kernel.
Apr 20 17:46:01 Purgatory kernel: audit(1082497561.203:0): avc: denied { read write } for pid=5911 exe=/usr/bin/vmnet-bridge name=vmnet0 dev=hda2 ino=588039 scontext=root:system_r:vmware_t tcontext=root:object_r:device_t tclass=chr_file
Apr 20 17:46:01 Purgatory kernel: audit(1082497561.454:0): avc: denied { read write } for pid=5933 exe=/usr/bin/vmnet-natd name=vmnet8 dev=hda2 ino=587693 scontext=root:system_r:vmware_t tcontext=root:object_r:device_t tclass=chr_file
Apr 20 17:46:11 Purgatory kernel: audit(1082497571.268:0): avc: denied { read write } for pid=6190 exe=/usr/bin/vmnet-netifup name=vmnet1 dev=hda2 ino=587685 scontext=root:system_r:vmware_t tcontext=root:object_r:device_t tclass=chr_fileApr 20 17:46:11 Purgatory VMware[init]: /dev/vmnet1: Permission denied
Apr 20 17:46:11 Purgatory kernel: audit(1082497571.354:0): avc: denied { read write } for pid=6191 exe=/usr/bin/vmnet-netifup name=vmnet8 dev=hda2 ino=587693 scontext=root:system_r:vmware_t tcontext=root:object_r:device_t tclass=chr_fileApr 20 17:46:11 Purgatory VMware[init]: /dev/vmnet8: Permission denied


If I restart (with kernel parameter enforcing=1)

[root@Purgatory log]# service vmware start
VMware Workstation is installed, but it has not been (correctly) configured
for the running kernel. To (re-)configure it, invoke the
following command: /usr/bin/vmware-config.pl.

And were back to square 1 !
Hope all this helps,it took a while to get all the messages off ;)


Attachment: vmware.log
Description: Binary data


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux