Tom London wrote:
> On 7/10/07, Ken YANG <spng.yang@xxxxxxxxx> wrote:
>>
>> hi,
>>
>> i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch
>>
>> there are some avc denied about vmware and eclipse:
>>
>> 1 vmware config
>>
>> after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch,
>> i find my vmware must be re-configed every time i run it.
>>
>> but when i run vmware-config.pl, some avc denied messages occured:
>>
>> avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin"
>> dev=00:10
>> egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0
>> inode=230929 item=0 items=1 mode=020600 name="vmnet0"
>> obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0"
>> pid=22164
>> rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
>> subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
>> tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
>>
>> ......
>>
>> other avc errors are similar, it seemed that /dev/vmnet* are mislabeled,
>> they were all labeled device_t, not vmware_device_t.
>>
>> IIRC, i installed and configured vmware 6 well, before the merge of
>> targeted and strict policy, i.e. <selinux-policy-targeted-3.0
>>
>> i had compared the vmware* between these two versions policy, i had
>> not find any changes which will result to these errors.
>>
>> i also find the /dev in my system is tmpfs, so the file on this fs
>> should be labeled using fs_use_trans.
>>
>> I want to add type_transition rules to verify my guess, but i don't know
>> the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system
>>
>>
>> is there something i missed?
>>
> I have VMWare 6.0 running in Rawhide.
>
> I believe it is with 'stock' labeling, but I made the following change
> to /usr/lib/vmware/net-services.sh to correct the labeling. I'm not
> sure if there is a better way (e.g., in udev):
>
> [root@localhost vmware]# diff -u net-services.sh.old net-services.sh
> --- net-services.sh.old 2007-05-01 21:54:30.000000000 -0700
> +++ net-services.sh 2007-07-10 06:55:11.000000000 -0700
> @@ -616,6 +616,11 @@
> if [ ! -e "$vDevice" ]; then
> mknod -m 600 "$vDevice" c 119 "$vHubNr"
> fi
> + retval=$?
> + if [ "`isSELinuxEnabled`" = 'yes' ]; then
> + restorecon "$vDevice"
> + fi
> + return $retval
> }
>
> # Create a virtual host ethernet interface and connect it to a virtual
>
thanks, tom
"file_context" have right label about /dev/vmnet*, so we can use
restorecon to fix this error.
i think this is vmware bug, which does not use SELinux API.
but i wonder why vmware work well in selinux-policy-targeted-2.6.5-2.fc8
and fail in new 3.0 policy(merged)?
i am learning the differences between 2.6.5 and 3.0 policy, hoping
to find some hints
>
> In addition to the above, there seems to be an issue with vmware's use
> of the 'ldd' command (e.g., see:
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246762).
>
> Setting 'allow_execmem' or 'allow_execstack' via 'setsebool' seems to
> work around this issue for me.
yes, to run vmware, "allow_execstack=1" is enough:
-(yangshao@Nerazzurri:pts/1)----------------------------------------(/workbench/rpmbuild/SRPMS)-(24/24)-
-(:16:11:$)-> getsebool -a|grep allow_exec
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> on
BTW, i have posted to this bug, you should receive mail notification
about this bug.
>
> tom
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
