Description of problem: Using SELinux & Vmware & nfs exported home I'm not sure whether this problem should be localy solved on my machine or it's a global policy setting thing: So here it comes: SELinux is preventing /usr/bin/vmnet-netifup (vmware_host_t) "ioctl" access to device /dev/vmnet8. Source Context: system_u:system_r:vmware_host_t:s0Target Context: system_u:object_r:device_t:s0Target Objects: /dev/vmnet8 [ chr_file ]Affected RPM Packages: VMware-server-1.0.4-56528 [application]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.deviceHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 1First Seen: St 17. říjen 2007, 15:20:47 CESTLast Seen: St 17. říjen 2007, 15:20:47 CESTLocal ID: 6abd2ca9-3c32-4752-94cc-e677afc529ccLine Numbers: Raw Audit Messages :avc: denied { ioctl } for comm=vmnet-netifup dev=tmpfs egid=0 euid=0 exe=/usr/bin/vmnet-netifup exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/dev/vmnet8 pid=2367 scontext=system_u:system_r:vmware_host_t:s0 sgid=0 subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 ------------------------------- SELinux is preventing /usr/bin/vmnet-netifup (vmware_host_t) "ioctl" access to device /dev/vmnet1. Source Context: system_u:system_r:vmware_host_t:s0Target Context: system_u:object_r:device_t:s0Target Objects: /dev/vmnet1 [ chr_file ]Affected RPM Packages: VMware-server-1.0.4-56528 [application]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.deviceHost Name: kabiPlatform: Linux kabi 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 1First Seen: St 17. říjen 2007, 15:43:17 CESTLast Seen: St 17. říjen 2007, 15:43:17 CESTLocal ID: 1ed813a5-8c41-4860-a2fb-5c3d566ab526Line Numbers: Raw Audit Messages :avc: denied { ioctl } for comm=vmnet-netifup dev=tmpfs egid=0 euid=0 exe=/usr/bin/vmnet-netifup exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/dev/vmnet1 pid=2353 scontext=system_u:system_r:vmware_host_t:s0 sgid=0 subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 -------------------------------------------------- SELinux is preventing rpc.mountd (nfsd_t) "ioctl" to /dev/mapper/control (lvm_control_t). Source Context: system_u:system_r:nfsd_t:s0Target Context: system_u:object_r:lvm_control_t:s0Target Objects: /dev/mapper/control [ chr_file ]Affected RPM Packages: Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: kabiPlatform: Linux kabi 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 2First Seen: St 17. říjen 2007, 17:08:33 CESTLast Seen: St 17. říjen 2007, 17:08:33 CESTLocal ID: 74d30be1-56b7-4cd0-9639-71c8d673fac3Line Numbers: Raw Audit Messages :avc: denied { ioctl } for comm=rpc.mountd dev=tmpfs path=/dev/mapper/control pid=4906 scontext=system_u:system_r:nfsd_t:s0 tclass=chr_file tcontext=system_u:object_r:lvm_control_t:s0 ---------------------------------- This one seeems to be quite interesting - as my /etc/exports contains only 'rw' exported filesystems so I do not understand the help message which suggest to use yet another command to export nfs rw - is it purpose - isn't enough to mark filesystems (rw) only in exports file ? SELinux is preventing the nfs daemon from allowing remote clients to write local files.Detailed DescriptionSELinux has preventing the nfs daemon (nfsd) from writing files on the local system. If you have not exported any file systems (rw), this could signals an intrusion.Allowing AccessIf you want to export writable file systems using nfs you need to turn on the nfs_export_all_rw boolean: "setsebool -P nfs_export_all_rw=1".The following command will allow this access:setsebool -P nfs_export_all_rw=1Additional InformationSource Context: system_u:system_r:nfsd_t:s0Target Context: system_u:object_r:lvm_control_t:s0Target Objects: None [ chr_file ]Affected RPM Packages: nfs-utils-1.1.0-5.fc8 [application]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.nfs_export_all_rwHost Name: kabiPlatform: Linux kabi 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 1First Seen: St 17. říjen 2007, 17:08:33 CESTLast Seen: St 17. říjen 2007, 17:08:33 CESTLocal ID: 79c57641-673a-4602-953a-0cd438e65ac6Line Numbers: Raw Audit Messages :avc: denied { read write } for comm=rpc.mountd dev=tmpfs egid=0 euid=0 exe=/usr/sbin/rpc.mountd exit=12 fsgid=0 fsuid=0 gid=0 items=0 name=control pid=4906 scontext=system_u:system_r:nfsd_t:s0 sgid=0 subj=system_u:system_r:nfsd_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:lvm_control_t:s0 tty=(none) uid=0 ------------------ Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Please report these as different errors. Since some are SELinux problems and some are other apps leaking file descriptors. The vmware host errors are caused by an initscript in vmware creating a device but not labeling it correctly. If you add the line restorecon /dev/vmnet8 right after the device is created, this should fix this problem. The nfsd_t wanting access to lvm_control_t looks like a leaked file descriptor from lvm or nash or something else in the boot sequence.
I believe these are all fixed in Fixed in selinux-policy-3.0.8-56.fc8
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.