On 7/10/07, Ken YANG <spng.yang@xxxxxxxxx> wrote:
hi,
i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch
there are some avc denied about vmware and eclipse:
1 vmware config
after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch,
i find my vmware must be re-configed every time i run it.
but when i run vmware-config.pl, some avc denied messages occured:
avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin" dev=00:10
egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0
inode=230929 item=0 items=1 mode=020600 name="vmnet0"
obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0" pid=22164
rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
......
other avc errors are similar, it seemed that /dev/vmnet* are mislabeled,
they were all labeled device_t, not vmware_device_t.
IIRC, i installed and configured vmware 6 well, before the merge of
targeted and strict policy, i.e. <selinux-policy-targeted-3.0
i had compared the vmware* between these two versions policy, i had
not find any changes which will result to these errors.
i also find the /dev in my system is tmpfs, so the file on this fs
should be labeled using fs_use_trans.
I want to add type_transition rules to verify my guess, but i don't know
the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system
is there something i missed?
I have VMWare 6.0 running in Rawhide.
I believe it is with 'stock' labeling, but I made the following change
to /usr/lib/vmware/net-services.sh to correct the labeling. I'm not
sure if there is a better way (e.g., in udev):
[root@localhost vmware]# diff -u net-services.sh.old net-services.sh
--- net-services.sh.old 2007-05-01 21:54:30.000000000 -0700
+++ net-services.sh 2007-07-10 06:55:11.000000000 -0700
@@ -616,6 +616,11 @@
if [ ! -e "$vDevice" ]; then
mknod -m 600 "$vDevice" c 119 "$vHubNr"
fi
+ retval=$?
+ if [ "`isSELinuxEnabled`" = 'yes' ]; then
+ restorecon "$vDevice"
+ fi
+ return $retval
}
# Create a virtual host ethernet interface and connect it to a virtual
In addition to the above, there seems to be an issue with vmware's use
of the 'ldd' command (e.g., see:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246762).
Setting 'allow_execmem' or 'allow_execstack' via 'setsebool' seems to
work around this issue for me.
tom
--
Tom London
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
