Bug 442425
Summary: | SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Lance French <lance> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.1 | CC: | dwalsh |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=238360 | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-07-16 17:37:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lance French
2008-04-14 18:54:00 UTC
I can fix the labeling on the directory, but I do not see how this mount AVC you are getting is affected by the labeling. What is the type of the file system you are attempting to mount? The other alert. Summary SELinux prevented /bin/mount from mounting on the file or directory "/usr/lib/vmware-tools/sbin64/vmware-hgfsmounter" (type "lib_t"). Detailed Description SELinux prevented /bin/mount from mounting a filesystem on the file or directory "/usr/lib/vmware-tools/sbin64/vmware-hgfsmounter" of type "lib_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "lib_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." The following command will allow this access: setsebool -P allow_mount_anyfile=1 Additional Information Source Context system_u:system_r:mount_t Target Context system_u:object_r:lib_t Target Objects /usr/lib/vmware-tools/sbin64/vmware-hgfsmounter [ file ] Affected RPM Packages util-linux-2.13-0.45.el5_1.1 [application]VMwareTools-7241-80004 [target] Policy RPM selinux-policy-2.4.6-106.el5_1.3 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_mount_anyfile Host Name rhel5-vm Platform Linux rhel5-vm 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:46 EST 2008 x86_64 x86_64 Alert Count 4 Line Numbers Raw Audit Messages avc: denied { execute_no_trans } for comm="mount" dev=dm-0 egid=0 euid=0 exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/usr/lib/vmware- tools/sbin64/vmware-hgfsmounter" pid=2034 scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0 As for what filesystem I am trying to mount, I am not exactly sure how the vmware-hgfsmounter works but I can tell you the host is a vista machine so I would assume it's mounting an ntfs FS. But if you chcon -R -t sbin_t /usr/lib/vmware-tools/sbin64 Does it work? Hmm, you are right. It did not work. I get a protocol error. [root@rhel5-vm ~]# chcon -R -t sbin_t /usr/lib/vmware-tools/sbin64 [root@rhel5-vm ~]# /sbin/mount.vmhgfs .host:/ /mnt/hgfs Error: cannot mount filesystem: Protocol error Argh, I am a boob. It received a protocol error because there were no enabled shares for that virtual machine. I created one and it *is* working after the context change. Fixed in selinux-policy-2.4.6-33.el5 |