Bug 504872

I am cloning the bug since I was not able to reopen it for some reason. We are still seeing selinux denials when trying to mount hgfs shares:

host=localhost.localdomain type=AVC msg=audit(1244165176.113:24): avc: denied { execute_no_trans } for pid=5264 comm="mount" path="/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" dev=dm-0 ino=3735704 scontext=system_u:system_r:mount_t:s0 tcontext=root:object_r:lib_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1244165176.113:24): arch=40000003 syscall=11 success=no exit=-13 a0=bff79f90 a1=bff79f60 a2=821ecc8 a3=0 items=0 ppid=5263 pid=5264 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)

Upgrading to Dan's private builds (http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ and http://people.redhat.com/dwalsh/SELinux/RHEL5/i386/) seems to fix it. Any chance of getting this updates into an offcial errata?

Thanks!
Dmitry 

+++ This bug was initially created as a clone of Bug #238360 +++

Description of problem:
SELinux won't allow "chcon -t mount_t
/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter".  Without "vmware-hgfsmounter"
being set as "mount_t", it can't mount VMWare "Shared disks" unless SELinux is
in "permissive" mode.

To get around this as a test, I did the following:
[rauch@localhost sbin32]$ sudo setenforce permissive
[rauch@localhost sbin32]$ sudo chcon -t mount_t vmware-hgfsmounter 
[rauch@localhost sbin32]$ sudo setenforce 1
[rauch@localhost sbin32]$ getenforce
Enforcing

Will post status after a reboot.



Version-Release number of selected component (if applicable):
Linux localhost.localdomain 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:38:02 EST 2007
i686 i686 i386 GNU/Linux

How reproducible:
Every reboot.

Steps to Reproduce:
1. Reboot VMWare Workstation 6 or 5.5 guest with shared disks enabled and
auto-mounted (settings in VMWare software)
2.
3.
  
Actual results:
SELinux blocks access:
Summary
    SELinux prevented /bin/mount from mounting on the file or directory
    "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" (type "lib_t").

Detailed Description
    SELinux prevented /bin/mount from mounting a filesystem on the file or
    directory "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" of type "lib_t".
    By default SELinux limits the mounting of filesystems to only some files or
    directories (those with types that have the mountpoint attribute). The type
    "lib_t" does not have this attribute. You can either relabel the file or
    directory or set the boolean "allow_mount_anyfile" to true to allow mounting
    on any file or directory.

Allowing Access
    Changing the "allow_mount_anyfile" boolean to true will allow this access:
    "setsebool -P allow_mount_anyfile=1."

    The following command will allow this access:
    setsebool -P allow_mount_anyfile=1

Additional Information        

Source Context                system_u:system_r:mount_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib/vmware-tools/sbin32/vmware-hgfsmounter [
                              file ]
Affected RPM Packages         util-linux-2.13-0.44.el5
                              [application]VMwareTools-7236-42757 [target]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_mount_anyfile
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-8.1.1.el5 #1
                              SMP Mon Feb 26 20:38:02 EST 2007 i686 i686
Alert Count                   1
Line Numbers                  

Raw Audit Messages            

avc: denied { execute_no_trans } for comm="mount" dev=dm-0 egid=0 euid=0
exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="vmware-
hgfsmounter" path="/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" pid=2367
scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0
suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0



Expected results:
Expected to see /mnt/vmware-home pointing to my host OS home directory.

--- Additional comment from dwalsh on 2007-04-30 08:51:53 EDT ---

You probably could have done a chcon -t bin_t which would also have fixed this.

semanage fcontext -a -t bin_t '/usr/lib/vmware-tools/sbin32(/.*)?'

Will make the change survive a relabel.

I will add this to the next update release.

--- Additional comment from riek on 2007-05-01 09:04:10 EDT ---

Found during cleanup.

Proposing for 5.1 and PM_ACK as component is already approved.

--- Additional comment from rauch on 2007-05-01 11:15:08 EDT ---

additional SELinx block of VMWare, should be considered with previous posting,
due to same-vendor nature:

Summary
    SELinux is preventing vmware-config-t (unconfined_execmem_t) "setattr" to
    vmware-hgfsmounter (mount_t).

Detailed Description
    SELinux denied access requested by vmware-config-t. It is not expected that
    this access is required by vmware-config-t and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for vmware-hgfsmounter, restorecon
    -v vmware-hgfsmounter If this does not work, there is currently no automatic
    way to allow this access. Instead,  you can generate a local policy module
    to allow this access - see http://fedora.redhat.com/docs/selinux-faq-
    fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling
    SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                user_u:system_r:unconfined_execmem_t
Target Context                system_u:object_r:mount_t
Target Objects                vmware-hgfsmounter [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-8.1.3.el5 #1
                              SMP Mon Apr 16 15:54:12 EDT 2007 i686 i686
Alert Count                   2
Line Numbers                  

Raw Audit Messages            

avc: denied { setattr } for comm="vmware-config-t" dev=dm-0 egid=0 euid=0
exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="vmware-
hgfsmounter" pid=3140 scontext=user_u:system_r:unconfined_execmem_t:s0 sgid=0
subj=user_u:system_r:unconfined_execmem_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:mount_t:s0 tty=pts1 uid=0



--- Additional comment from dwalsh on 2007-05-03 10:11:13 EDT ---

This is because mount_t is a process domain, not a file context.  If you want to
set the file context on a file that will transition to the mount_t domain, you
would need to assign mount_exec_t to the file.  In this case I would just assign
bin_t to the command.

Which is what I have done in selinux-policy-2.4.6-68

--- Additional comment from ebenes on 2007-08-21 09:53:24 EDT ---

Robert, could you try the new policy available at the link below and reply 
whether the new packages solve your problem. Thank you.

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

--- Additional comment from ebenes on 2007-09-06 12:17:18 EDT ---

Latest selinux policy, that adds the new rule is available here:

http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/89.el5/
noarch/

--- Additional comment from ebenes on 2007-09-24 09:20:27 EDT ---

Robert, could you please try the new policy available at the link below and 
reply whether the new packages solve your problem? Thank you.

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

--- Additional comment from errata-xmlrpc on 2007-11-07 11:39:30 EDT ---


An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html


--- Additional comment from qmjxjtu on 2009-05-11 05:53:24 EDT ---

(In reply to comment #11)
> An advisory has been issued which should help the problem
> described in this bug report. This report is therefore being
> closed with a resolution of ERRATA. For more information
> on the solution and/or where to find the updated files,
> please follow the link below. You may reopen this bug report
> if the solution does not work for you.
> 
> http://rhn.redhat.com/errata/RHBA-2007-0544.html
>   

(In reply to comment #9)
> Robert, could you please try the new policy available at the link below and 
> reply whether the new packages solve your problem? Thank you.
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/  

I can still hit the bug even if the packages listed in the ERRATA are applied. However, the packages from the link http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/  solved my problem.