Bug 442425
| Summary: | SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Lance French <lance> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.1 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=238360 | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-07-16 17:37:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Lance French
2008-04-14 18:54:00 UTC
I can fix the labeling on the directory, but I do not see how this mount AVC you are getting is affected by the labeling. What is the type of the file system you are attempting to mount? The other alert.
Summary
SELinux prevented /bin/mount from mounting on the file or directory
"/usr/lib/vmware-tools/sbin64/vmware-hgfsmounter" (type "lib_t").
Detailed Description
SELinux prevented /bin/mount from mounting a filesystem on the file or
directory "/usr/lib/vmware-tools/sbin64/vmware-hgfsmounter" of type "lib_t".
By default SELinux limits the mounting of filesystems to only some files or
directories (those with types that have the mountpoint attribute). The type
"lib_t" does not have this attribute. You can either relabel the file or
directory or set the boolean "allow_mount_anyfile" to true to allow mounting
on any file or directory.
Allowing Access
Changing the "allow_mount_anyfile" boolean to true will allow this access:
"setsebool -P allow_mount_anyfile=1."
The following command will allow this access:
setsebool -P allow_mount_anyfile=1
Additional Information
Source Context system_u:system_r:mount_t
Target Context system_u:object_r:lib_t
Target Objects /usr/lib/vmware-tools/sbin64/vmware-hgfsmounter [
file ]
Affected RPM Packages util-linux-2.13-0.45.el5_1.1
[application]VMwareTools-7241-80004 [target]
Policy RPM selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_mount_anyfile
Host Name rhel5-vm
Platform Linux rhel5-vm 2.6.18-53.1.14.el5 #1 SMP Tue Feb
19 07:18:46 EST 2008 x86_64 x86_64
Alert Count 4
Line Numbers
Raw Audit Messages
avc: denied { execute_no_trans } for comm="mount" dev=dm-0 egid=0 euid=0
exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/usr/lib/vmware-
tools/sbin64/vmware-hgfsmounter" pid=2034 scontext=system_u:system_r:mount_t:s0
sgid=0 subj=system_u:system_r:mount_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0
As for what filesystem I am trying to mount, I am not exactly sure how the vmware-hgfsmounter works but I can tell you the host is a vista machine so I would assume it's mounting an ntfs FS. But if you chcon -R -t sbin_t /usr/lib/vmware-tools/sbin64 Does it work? Hmm, you are right. It did not work. I get a protocol error. [root@rhel5-vm ~]# chcon -R -t sbin_t /usr/lib/vmware-tools/sbin64 [root@rhel5-vm ~]# /sbin/mount.vmhgfs .host:/ /mnt/hgfs Error: cannot mount filesystem: Protocol error Argh, I am a boob. It received a protocol error because there were no enabled shares for that virtual machine. I created one and it *is* working after the context change. Fixed in selinux-policy-2.4.6-33.el5 |