Ken YANG wrote:
Tom London wrote:
On 7/10/07, Ken YANG <spng.yang@xxxxxxxxx> wrote:
hi,
i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch
there are some avc denied about vmware and eclipse:
1 vmware config
after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch,
i find my vmware must be re-configed every time i run it.
but when i run vmware-config.pl, some avc denied messages occured:
avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin"
dev=00:10
egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0
inode=230929 item=0 items=1 mode=020600 name="vmnet0"
obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0"
pid=22164
rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
......
other avc errors are similar, it seemed that /dev/vmnet* are mislabeled,
they were all labeled device_t, not vmware_device_t.
IIRC, i installed and configured vmware 6 well, before the merge of
targeted and strict policy, i.e. <selinux-policy-targeted-3.0
i had compared the vmware* between these two versions policy, i had
not find any changes which will result to these errors.
i also find the /dev in my system is tmpfs, so the file on this fs
should be labeled using fs_use_trans.
I want to add type_transition rules to verify my guess, but i don't know
the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system
is there something i missed?
I have VMWare 6.0 running in Rawhide.
I believe it is with 'stock' labeling, but I made the following change
to /usr/lib/vmware/net-services.sh to correct the labeling. I'm not
sure if there is a better way (e.g., in udev):
[root@localhost vmware]# diff -u net-services.sh.old net-services.sh
--- net-services.sh.old 2007-05-01 21:54:30.000000000 -0700
+++ net-services.sh 2007-07-10 06:55:11.000000000 -0700
@@ -616,6 +616,11 @@
if [ ! -e "$vDevice" ]; then
mknod -m 600 "$vDevice" c 119 "$vHubNr"
fi
+ retval=$?
+ if [ "`isSELinuxEnabled`" = 'yes' ]; then
+ restorecon "$vDevice"
+ fi
+ return $retval
}
# Create a virtual host ethernet interface and connect it to a virtual
thanks, tom
"file_context" have right label about /dev/vmnet*, so we can use
restorecon to fix this error.
i think this is vmware bug, which does not use SELinux API.
but i wonder why vmware work well in selinux-policy-targeted-2.6.5-2.fc8
and fail in new 3.0 policy(merged)?
i am learning the differences between 2.6.5 and 3.0 policy, hoping
to find some hints
We were not using vmware policy in fc7. So it ran unconfined. Now we
are attempting to confine it.
In addition to the above, there seems to be an issue with vmware's use
of the 'ldd' command (e.g., see:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246762).
Setting 'allow_execmem' or 'allow_execstack' via 'setsebool' seems to
work around this issue for me.
yes, to run vmware, "allow_execstack=1" is enough:
-(yangshao@Nerazzurri:pts/1)----------------------------------------(/workbench/rpmbuild/SRPMS)-(24/24)-
-(:16:11:$)-> getsebool -a|grep allow_exec
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> on
BTW, i have posted to this bug, you should receive mail notification
about this bug.
tom
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
