Description of problem: SELinux won't allow "chcon -t mount_t /usr/lib/vmware-tools/sbin32/vmware-hgfsmounter". Without "vmware-hgfsmounter" being set as "mount_t", it can't mount VMWare "Shared disks" unless SELinux is in "permissive" mode. To get around this as a test, I did the following: [rauch@localhost sbin32]$ sudo setenforce permissive [rauch@localhost sbin32]$ sudo chcon -t mount_t vmware-hgfsmounter [rauch@localhost sbin32]$ sudo setenforce 1 [rauch@localhost sbin32]$ getenforce Enforcing Will post status after a reboot. Version-Release number of selected component (if applicable): Linux localhost.localdomain 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:38:02 EST 2007 i686 i686 i386 GNU/Linux How reproducible: Every reboot. Steps to Reproduce: 1. Reboot VMWare Workstation 6 or 5.5 guest with shared disks enabled and auto-mounted (settings in VMWare software) 2. 3. Actual results: SELinux blocks access: Summary SELinux prevented /bin/mount from mounting on the file or directory "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" (type "lib_t"). Detailed Description SELinux prevented /bin/mount from mounting a filesystem on the file or directory "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" of type "lib_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "lib_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." The following command will allow this access: setsebool -P allow_mount_anyfile=1 Additional Information Source Context system_u:system_r:mount_t Target Context system_u:object_r:lib_t Target Objects /usr/lib/vmware-tools/sbin32/vmware-hgfsmounter [ file ] Affected RPM Packages util-linux-2.13-0.44.el5 [application]VMwareTools-7236-42757 [target] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_mount_anyfile Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:38:02 EST 2007 i686 i686 Alert Count 1 Line Numbers Raw Audit Messages avc: denied { execute_no_trans } for comm="mount" dev=dm-0 egid=0 euid=0 exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="vmware- hgfsmounter" path="/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" pid=2367 scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0 Expected results: Expected to see /mnt/vmware-home pointing to my host OS home directory.
You probably could have done a chcon -t bin_t which would also have fixed this. semanage fcontext -a -t bin_t '/usr/lib/vmware-tools/sbin32(/.*)?' Will make the change survive a relabel. I will add this to the next update release.
Found during cleanup. Proposing for 5.1 and PM_ACK as component is already approved.
additional SELinx block of VMWare, should be considered with previous posting, due to same-vendor nature: Summary SELinux is preventing vmware-config-t (unconfined_execmem_t) "setattr" to vmware-hgfsmounter (mount_t). Detailed Description SELinux denied access requested by vmware-config-t. It is not expected that this access is required by vmware-config-t and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for vmware-hgfsmounter, restorecon -v vmware-hgfsmounter If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq- fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:unconfined_execmem_t Target Context system_u:object_r:mount_t Target Objects vmware-hgfsmounter [ file ] Affected RPM Packages Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-8.1.3.el5 #1 SMP Mon Apr 16 15:54:12 EDT 2007 i686 i686 Alert Count 2 Line Numbers Raw Audit Messages avc: denied { setattr } for comm="vmware-config-t" dev=dm-0 egid=0 euid=0 exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="vmware- hgfsmounter" pid=3140 scontext=user_u:system_r:unconfined_execmem_t:s0 sgid=0 subj=user_u:system_r:unconfined_execmem_t:s0 suid=0 tclass=file tcontext=system_u:object_r:mount_t:s0 tty=pts1 uid=0
This is because mount_t is a process domain, not a file context. If you want to set the file context on a file that will transition to the mount_t domain, you would need to assign mount_exec_t to the file. In this case I would just assign bin_t to the command. Which is what I have done in selinux-policy-2.4.6-68
Robert, could you try the new policy available at the link below and reply whether the new packages solve your problem. Thank you. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Latest selinux policy, that adds the new rule is available here: http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/89.el5/ noarch/
Robert, could you please try the new policy available at the link below and reply whether the new packages solve your problem? Thank you. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html
(In reply to comment #11) > An advisory has been issued which should help the problem > described in this bug report. This report is therefore being > closed with a resolution of ERRATA. For more information > on the solution and/or where to find the updated files, > please follow the link below. You may reopen this bug report > if the solution does not work for you. > > http://rhn.redhat.com/errata/RHBA-2007-0544.html > (In reply to comment #9) > Robert, could you please try the new policy available at the link below and > reply whether the new packages solve your problem? Thank you. > > http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ I can still hit the bug even if the packages listed in the ERRATA are applied. However, the packages from the link http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ solved my problem.