Bug 238360
| Summary: | SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Robert Auch <rauch> | |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | |
| Status: | CLOSED ERRATA | QA Contact: | ||
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 5.0 | CC: | dwalsh, ebenes, pmuller, qmjxjtu | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | RHBA-2007-0544 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 504872 (view as bug list) | Environment: | ||
| Last Closed: | 2007-11-07 16:39:30 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
You probably could have done a chcon -t bin_t which would also have fixed this. semanage fcontext -a -t bin_t '/usr/lib/vmware-tools/sbin32(/.*)?' Will make the change survive a relabel. I will add this to the next update release. Found during cleanup. Proposing for 5.1 and PM_ACK as component is already approved. additional SELinx block of VMWare, should be considered with previous posting,
due to same-vendor nature:
Summary
SELinux is preventing vmware-config-t (unconfined_execmem_t) "setattr" to
vmware-hgfsmounter (mount_t).
Detailed Description
SELinux denied access requested by vmware-config-t. It is not expected that
this access is required by vmware-config-t and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for vmware-hgfsmounter, restorecon
-v vmware-hgfsmounter If this does not work, there is currently no automatic
way to allow this access. Instead, you can generate a local policy module
to allow this access - see http://fedora.redhat.com/docs/selinux-faq-
fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:unconfined_execmem_t
Target Context system_u:object_r:mount_t
Target Objects vmware-hgfsmounter [ file ]
Affected RPM Packages
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.18-8.1.3.el5 #1
SMP Mon Apr 16 15:54:12 EDT 2007 i686 i686
Alert Count 2
Line Numbers
Raw Audit Messages
avc: denied { setattr } for comm="vmware-config-t" dev=dm-0 egid=0 euid=0
exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="vmware-
hgfsmounter" pid=3140 scontext=user_u:system_r:unconfined_execmem_t:s0 sgid=0
subj=user_u:system_r:unconfined_execmem_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:mount_t:s0 tty=pts1 uid=0
This is because mount_t is a process domain, not a file context. If you want to set the file context on a file that will transition to the mount_t domain, you would need to assign mount_exec_t to the file. In this case I would just assign bin_t to the command. Which is what I have done in selinux-policy-2.4.6-68 Robert, could you try the new policy available at the link below and reply whether the new packages solve your problem. Thank you. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Latest selinux policy, that adds the new rule is available here: http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/89.el5/ noarch/ Robert, could you please try the new policy available at the link below and reply whether the new packages solve your problem? Thank you. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html (In reply to comment #11) > An advisory has been issued which should help the problem > described in this bug report. This report is therefore being > closed with a resolution of ERRATA. For more information > on the solution and/or where to find the updated files, > please follow the link below. You may reopen this bug report > if the solution does not work for you. > > http://rhn.redhat.com/errata/RHBA-2007-0544.html > (In reply to comment #9) > Robert, could you please try the new policy available at the link below and > reply whether the new packages solve your problem? Thank you. > > http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ I can still hit the bug even if the packages listed in the ERRATA are applied. However, the packages from the link http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ solved my problem. |
Description of problem: SELinux won't allow "chcon -t mount_t /usr/lib/vmware-tools/sbin32/vmware-hgfsmounter". Without "vmware-hgfsmounter" being set as "mount_t", it can't mount VMWare "Shared disks" unless SELinux is in "permissive" mode. To get around this as a test, I did the following: [rauch@localhost sbin32]$ sudo setenforce permissive [rauch@localhost sbin32]$ sudo chcon -t mount_t vmware-hgfsmounter [rauch@localhost sbin32]$ sudo setenforce 1 [rauch@localhost sbin32]$ getenforce Enforcing Will post status after a reboot. Version-Release number of selected component (if applicable): Linux localhost.localdomain 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:38:02 EST 2007 i686 i686 i386 GNU/Linux How reproducible: Every reboot. Steps to Reproduce: 1. Reboot VMWare Workstation 6 or 5.5 guest with shared disks enabled and auto-mounted (settings in VMWare software) 2. 3. Actual results: SELinux blocks access: Summary SELinux prevented /bin/mount from mounting on the file or directory "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" (type "lib_t"). Detailed Description SELinux prevented /bin/mount from mounting a filesystem on the file or directory "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" of type "lib_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "lib_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." The following command will allow this access: setsebool -P allow_mount_anyfile=1 Additional Information Source Context system_u:system_r:mount_t Target Context system_u:object_r:lib_t Target Objects /usr/lib/vmware-tools/sbin32/vmware-hgfsmounter [ file ] Affected RPM Packages util-linux-2.13-0.44.el5 [application]VMwareTools-7236-42757 [target] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_mount_anyfile Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:38:02 EST 2007 i686 i686 Alert Count 1 Line Numbers Raw Audit Messages avc: denied { execute_no_trans } for comm="mount" dev=dm-0 egid=0 euid=0 exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="vmware- hgfsmounter" path="/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" pid=2367 scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0 Expected results: Expected to see /mnt/vmware-home pointing to my host OS home directory.