Bug 238360 - SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks.
SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-29 15:45 EDT by Robert Auch
Modified: 2009-05-11 05:53 EDT (History)
4 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 504872 (view as bug list)
Environment:
Last Closed: 2007-11-07 11:39:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Auch 2007-04-29 15:45:28 EDT
Description of problem:
SELinux won't allow "chcon -t mount_t
/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter".  Without "vmware-hgfsmounter"
being set as "mount_t", it can't mount VMWare "Shared disks" unless SELinux is
in "permissive" mode.

To get around this as a test, I did the following:
[rauch@localhost sbin32]$ sudo setenforce permissive
[rauch@localhost sbin32]$ sudo chcon -t mount_t vmware-hgfsmounter 
[rauch@localhost sbin32]$ sudo setenforce 1
[rauch@localhost sbin32]$ getenforce
Enforcing

Will post status after a reboot.



Version-Release number of selected component (if applicable):
Linux localhost.localdomain 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:38:02 EST 2007
i686 i686 i386 GNU/Linux

How reproducible:
Every reboot.

Steps to Reproduce:
1. Reboot VMWare Workstation 6 or 5.5 guest with shared disks enabled and
auto-mounted (settings in VMWare software)
2.
3.
  
Actual results:
SELinux blocks access:
Summary
    SELinux prevented /bin/mount from mounting on the file or directory
    "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" (type "lib_t").

Detailed Description
    SELinux prevented /bin/mount from mounting a filesystem on the file or
    directory "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" of type "lib_t".
    By default SELinux limits the mounting of filesystems to only some files or
    directories (those with types that have the mountpoint attribute). The type
    "lib_t" does not have this attribute. You can either relabel the file or
    directory or set the boolean "allow_mount_anyfile" to true to allow mounting
    on any file or directory.

Allowing Access
    Changing the "allow_mount_anyfile" boolean to true will allow this access:
    "setsebool -P allow_mount_anyfile=1."

    The following command will allow this access:
    setsebool -P allow_mount_anyfile=1

Additional Information        

Source Context                system_u:system_r:mount_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib/vmware-tools/sbin32/vmware-hgfsmounter [
                              file ]
Affected RPM Packages         util-linux-2.13-0.44.el5
                              [application]VMwareTools-7236-42757 [target]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_mount_anyfile
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-8.1.1.el5 #1
                              SMP Mon Feb 26 20:38:02 EST 2007 i686 i686
Alert Count                   1
Line Numbers                  

Raw Audit Messages            

avc: denied { execute_no_trans } for comm="mount" dev=dm-0 egid=0 euid=0
exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="vmware-
hgfsmounter" path="/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" pid=2367
scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0
suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0



Expected results:
Expected to see /mnt/vmware-home pointing to my host OS home directory.
Comment 1 Daniel Walsh 2007-04-30 08:51:53 EDT
You probably could have done a chcon -t bin_t which would also have fixed this.

semanage fcontext -a -t bin_t '/usr/lib/vmware-tools/sbin32(/.*)?'

Will make the change survive a relabel.

I will add this to the next update release.
Comment 2 Daniel Riek 2007-05-01 09:04:10 EDT
Found during cleanup.

Proposing for 5.1 and PM_ACK as component is already approved.
Comment 3 Robert Auch 2007-05-01 11:15:08 EDT
additional SELinx block of VMWare, should be considered with previous posting,
due to same-vendor nature:

Summary
    SELinux is preventing vmware-config-t (unconfined_execmem_t) "setattr" to
    vmware-hgfsmounter (mount_t).

Detailed Description
    SELinux denied access requested by vmware-config-t. It is not expected that
    this access is required by vmware-config-t and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for vmware-hgfsmounter, restorecon
    -v vmware-hgfsmounter If this does not work, there is currently no automatic
    way to allow this access. Instead,  you can generate a local policy module
    to allow this access - see http://fedora.redhat.com/docs/selinux-faq-
    fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling
    SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                user_u:system_r:unconfined_execmem_t
Target Context                system_u:object_r:mount_t
Target Objects                vmware-hgfsmounter [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-8.1.3.el5 #1
                              SMP Mon Apr 16 15:54:12 EDT 2007 i686 i686
Alert Count                   2
Line Numbers                  

Raw Audit Messages            

avc: denied { setattr } for comm="vmware-config-t" dev=dm-0 egid=0 euid=0
exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="vmware-
hgfsmounter" pid=3140 scontext=user_u:system_r:unconfined_execmem_t:s0 sgid=0
subj=user_u:system_r:unconfined_execmem_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:mount_t:s0 tty=pts1 uid=0

Comment 4 Daniel Walsh 2007-05-03 10:11:13 EDT
This is because mount_t is a process domain, not a file context.  If you want to
set the file context on a file that will transition to the mount_t domain, you
would need to assign mount_exec_t to the file.  In this case I would just assign
bin_t to the command.

Which is what I have done in selinux-policy-2.4.6-68
Comment 7 Eduard Benes 2007-08-21 09:53:24 EDT
Robert, could you try the new policy available at the link below and reply 
whether the new packages solve your problem. Thank you.

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 8 Eduard Benes 2007-09-06 12:17:18 EDT
Latest selinux policy, that adds the new rule is available here:

http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/89.el5/
noarch/
Comment 9 Eduard Benes 2007-09-24 09:20:27 EDT
Robert, could you please try the new policy available at the link below and 
reply whether the new packages solve your problem? Thank you.

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 11 errata-xmlrpc 2007-11-07 11:39:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html
Comment 12 Mojiong Qiu 2009-05-11 05:53:24 EDT
(In reply to comment #11)
> An advisory has been issued which should help the problem
> described in this bug report. This report is therefore being
> closed with a resolution of ERRATA. For more information
> on the solution and/or where to find the updated files,
> please follow the link below. You may reopen this bug report
> if the solution does not work for you.
> 
> http://rhn.redhat.com/errata/RHBA-2007-0544.html
>   

(In reply to comment #9)
> Robert, could you please try the new policy available at the link below and 
> reply whether the new packages solve your problem? Thank you.
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/  

I can still hit the bug even if the packages listed in the ERRATA are applied. However, the packages from the link http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/  solved my problem.

Note You need to log in before you can comment on or make changes to this bug.