Bug 403631
| Summary: | selinux-policy in F8 breaks VMWare Workstation | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ben Webb <ben> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | goodyca48 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-30 19:19:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-63.fc8 Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |
Description of problem: On updating from F7 to F8, VMWare workstation (4.5.3.19414) no longer works - it is prevented from doing so by selinux-policy. Running in permissive mode allows vmware to function normally. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-56.fc8 How reproducible: Always. Steps to Reproduce: 1. Set SELinux enforcing mode. 2. Start VMWare workstation. 3. Start a guest OS and try to access the host's filesystem (which uses vmware-smbd). Actual results: Step 3 hangs, while on the host avc denials are logged: Nov 21 12:02:56 synth kernel: audit(1195675376.553:754248): avc: denied { accept } for pid=26272 comm="vmware-smbd" laddr=172.16.196.1 lport=139 scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:vmware_host_t:s0 tclass=tcp_socket (this continues indefinitely until vmware is killed or selinux is disabled) In permissive mode, something like the following occurs instead: Nov 27 11:58:06 synth kernel: audit(1196193486.147:16558306): avc: denied { accept } for pid=26272 comm="vmware-smbd" laddr=172.16.196.1 lport=139 scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:vmware_host_t:s0 tclass=tcp_socket Nov 27 11:58:06 synth kernel: audit(1196193486.148:16558307): avc: denied { read } for pid=572 comm="vmware-smbd" path="/dev/urandom" dev=tmpfs ino=2237 scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file Nov 27 11:58:06 synth kernel: audit(1196193486.508:16558308): avc: denied { setgid } for pid=572 comm="vmware-smbd" capability=6 scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:vmware_host_t:s0 tclass=capability Nov 27 11:58:06 synth kernel: audit(1196193486.553:16558309): avc: denied { search } for pid=572 comm="vmware-smbd" name="tmp" dev=sda1 ino=192001 scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Nov 27 11:58:06 synth kernel: audit(1196193486.787:16558310): avc: denied { search } for pid=572 comm="vmware-smbd" name="/" dev=sda6 ino=2 scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir Nov 27 11:58:06 synth kernel: audit(1196193486.787:16558311): avc: denied { search } for pid=572 comm="vmware-smbd" name="ben" dev=sda6 ino=28442626 scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir and so on. Expected results: Can browse host filesystem from guest OS, via Samba. Additional info: Obviously vmware is not a part of Fedora itself (our RPM is an internal one) and so I'd not expect it to be supported officially by RedHat. It's thus surprising that F8 includes policy for it. I'd quite happily run vmware unconfined if there were a simple way of doing that (e.g. an "unconfined_vmware" boolean, or a way to remove vmware.pp from the policy). Looking at /etc/selinux/targeted/contexts/files/file_contexts, there seems to be defined contexts for vmware binaries, and these match what's set up on our filesystem: $ ls -lZ /usr/bin/vmware-smb* -rwxr-xr-x root root system_u:object_r:vmware_host_exec_t /usr/bin/vmware-smbd -rwxr-xr-x root root system_u:object_r:vmware_host_exec_t /usr/bin/vmware-smbpasswd -rwxr-xr-x root root system_u:object_r:vmware_host_exec_t /usr/bin/vmware-smbpasswd.bin The process contexts also "look" correct: $ ps -eZ |grep vmware system_u:system_r:vmware_host_t 26179 ? 00:00:00 vmnet-bridge system_u:system_r:vmware_host_t 26191 ? 00:00:00 vmnet-natd system_u:system_r:vmware_host_t 26199 ? 00:00:00 vmnet-netifup system_u:system_r:vmware_host_t 26200 ? 00:00:00 vmnet-netifup system_u:system_r:vmware_host_t 26247 ? 00:00:00 vmnet-dhcpd system_u:system_r:vmware_host_t 26251 ? 00:00:00 vmnet-dhcpd system_u:system_r:vmware_host_t 26270 ? 00:01:34 vmware-nmbd system_u:system_r:vmware_host_t 26272 ? 00:13:28 vmware-smbd