Description of problem: Recent selinux-policy-targeted policy now generates execmem and execstack AVCs when starting vmware. vmware won't start in enforcing mode. (Didn't used to do this). I get the following AVCs when running in enforcing mode: type=AVC msg=audit(1163518434.066:31): avc: denied { execstack } for pid=3631 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163518434.066:31): arch=40000003 syscall=125 success=no exit=-13 a0=bfe2e000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3629 pid=3631 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163518434.073:32): avc: denied { execstack } for pid=3636 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163518434.073:32): arch=40000003 syscall=125 success=no exit=-13 a0=bfeff000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3634 pid=3636 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163518434.114:33): avc: denied { execstack } for pid=3644 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163518434.114:33): arch=40000003 syscall=125 success=no exit=-13 a0=bfb63000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3642 pid=3644 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 key=(null) In permissive mode, I get: type=AVC msg=audit(1163518331.364:29): avc: denied { execstack } for pid=3603 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1163518331.364:29): avc: denied { execmem } for pid=3603 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163518331.364:29): arch=40000003 syscall=125 success=yes exit=0 a0=bfbf4000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3601 pid=3603 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 key=(null) Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.3-12 How reproducible: Every time. Steps to Reproduce: 1. start vmware 2. 3. Actual results: Expected results: Additional info:
chcon -t unconfined_execmem_exec_t /usr/bin/vmware fixes problem.