Bug 238360
Summary: | SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Robert Auch <rauch> | |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | |
Status: | CLOSED ERRATA | QA Contact: | ||
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 5.0 | CC: | dwalsh, ebenes, pmuller, qmjxjtu | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | RHBA-2007-0544 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 504872 (view as bug list) | Environment: | ||
Last Closed: | 2007-11-07 16:39:30 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Robert Auch
2007-04-29 19:45:28 UTC
You probably could have done a chcon -t bin_t which would also have fixed this. semanage fcontext -a -t bin_t '/usr/lib/vmware-tools/sbin32(/.*)?' Will make the change survive a relabel. I will add this to the next update release. Found during cleanup. Proposing for 5.1 and PM_ACK as component is already approved. additional SELinx block of VMWare, should be considered with previous posting, due to same-vendor nature: Summary SELinux is preventing vmware-config-t (unconfined_execmem_t) "setattr" to vmware-hgfsmounter (mount_t). Detailed Description SELinux denied access requested by vmware-config-t. It is not expected that this access is required by vmware-config-t and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for vmware-hgfsmounter, restorecon -v vmware-hgfsmounter If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq- fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:unconfined_execmem_t Target Context system_u:object_r:mount_t Target Objects vmware-hgfsmounter [ file ] Affected RPM Packages Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-8.1.3.el5 #1 SMP Mon Apr 16 15:54:12 EDT 2007 i686 i686 Alert Count 2 Line Numbers Raw Audit Messages avc: denied { setattr } for comm="vmware-config-t" dev=dm-0 egid=0 euid=0 exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="vmware- hgfsmounter" pid=3140 scontext=user_u:system_r:unconfined_execmem_t:s0 sgid=0 subj=user_u:system_r:unconfined_execmem_t:s0 suid=0 tclass=file tcontext=system_u:object_r:mount_t:s0 tty=pts1 uid=0 This is because mount_t is a process domain, not a file context. If you want to set the file context on a file that will transition to the mount_t domain, you would need to assign mount_exec_t to the file. In this case I would just assign bin_t to the command. Which is what I have done in selinux-policy-2.4.6-68 Robert, could you try the new policy available at the link below and reply whether the new packages solve your problem. Thank you. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Latest selinux policy, that adds the new rule is available here: http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/89.el5/ noarch/ Robert, could you please try the new policy available at the link below and reply whether the new packages solve your problem? Thank you. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html (In reply to comment #11) > An advisory has been issued which should help the problem > described in this bug report. This report is therefore being > closed with a resolution of ERRATA. For more information > on the solution and/or where to find the updated files, > please follow the link below. You may reopen this bug report > if the solution does not work for you. > > http://rhn.redhat.com/errata/RHBA-2007-0544.html > (In reply to comment #9) > Robert, could you please try the new policy available at the link below and > reply whether the new packages solve your problem? Thank you. > > http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ I can still hit the bug even if the packages listed in the ERRATA are applied. However, the packages from the link http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ solved my problem. |