On Fri, 2004-06-25 at 14:50, Earl wrote: > All, > > I'm just learning so forgive the trivial nature of the > question: > > FC2, Installed VMWare workstation 4.5x, unable to run > configuration script, just "yum-ed" so I'm up to date, > relableled, rebooted, still cannot run configuration > script... > [root@host root]# id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:sysadm_r:sysadm_t > [root@host root]# /usr/bin/vmware-config.pl > Can't open perl script "/usr/bin/vmware-config.pl": > Permission denied > [root@host root]# ls -Z /usr/bin/vmware-config.pl > -r-xr-xr-x+ root root > system_u:object_r:vmware_exec_t > /usr/bin/vmware-config.pl > > Looks like a context problem to me but I am unsure > what to change... my context, that of the script > itself or modify context files and relabel? > > I have the docs, have been reading, but I have not > been able to understand some of the genreal concepts. > > Any advice will be appreciated. audit2allow -d -l | grep vmware_t should show you the relevant missing allow statements from the policy. On FC2, you can then add them to your policy by doing the following: yum install policy-sources cd /etc/security/selinux/src/policy audit2allow -d -l | grep vmware_t >> domains/misc/local.te make load But I'm not clear that vmware-config.pl should be labeled vmware_exec_t at all (vs. bin_t). What is the advantage of running the configuration script in vmware_t vs. sysadm_t? There are no type transition rules for vmware_t (except for /var/run files), so it doesn't help keep the configuration in the right type. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
