Bug 581120

Summary: SELinux is preventing /usr/bin/vmnet-natd "read" access to device /dev/vmnet8.
Product: [Fedora] Fedora Reporter: Mijax <mijax.mijax>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5b95148d9865e808d1d2569ee286704ef4e02ef1e836b770509540f27f500b8d
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-11 12:30:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mijax 2010-04-10 10:04:35 UTC
Summary:

SELinux is preventing /usr/bin/vmnet-natd "read" access to device /dev/vmnet8.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied vmnet-natd "read" access to device /dev/vmnet8. /dev/vmnet8
is mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v '/dev/vmnet8'.
If this device remains labeled device_t, then this is a bug in SELinux policy.
Please file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for /dev/vmnet8, you can use chcon
-t SIMILAR_TYPE '/dev/vmnet8', If this fixes the problem, you can make this
permanent by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/vmnet8' If the
restorecon changes the context, this indicates that the application that created
the device, created it without using SELinux APIs. If you can figure out which
application created the device, please file a bug report against this
application.

Allowing Access:

Attempt restorecon -v '/dev/vmnet8' or chcon -t SIMILAR_TYPE '/dev/vmnet8'

Additional Information:

Source Context                system_u:system_r:vmware_host_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/vmnet8 [ chr_file ]
Source                        vmnet-natd
Source Path                   /usr/bin/vmnet-natd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-108.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.22.fc12.i686.PAE #1 SMP Fri Feb 19
                              19:10:04 UTC 2010 i686 athlon
Alert Count                   4
First Seen                    Fri 09 Apr 2010 05:28:59 PM IRDT
Last Seen                     Fri 09 Apr 2010 05:29:48 PM IRDT
Local ID                      0a39fd8a-7570-44d1-a1d9-e6ac083978fa
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1270817988.909:24): avc:  denied  { read } for  pid=1450 comm="vmnet-natd" path="/dev/vmnet8" dev=tmpfs ino=44955 scontext=system_u:system_r:vmware_host_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1270817988.909:24): arch=40000003 syscall=3 success=yes exit=82 a0=3 a1=bfa2e50c a2=8000 a3=1 items=0 ppid=1 pid=1450 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmnet-natd" exe="/usr/bin/vmnet-natd" subj=system_u:system_r:vmware_host_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  device,vmnet-natd,vmware_host_t,device_t,chr_file,read
audit2allow suggests:

#============= vmware_host_t ==============
allow vmware_host_t device_t:chr_file read;

Comment 1 Daniel Walsh 2010-04-11 12:30:07 UTC

*** This bug has been marked as a duplicate of bug 581117 ***