Bug 403631 - selinux-policy in F8 breaks VMWare Workstation
selinux-policy in F8 breaks VMWare Workstation
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-28 18:39 EST by Ben Webb
Modified: 2008-01-30 14:19 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:19:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ben Webb 2007-11-28 18:39:58 EST
Description of problem:
On updating from F7 to F8, VMWare workstation (4.5.3.19414) no longer works - it
is prevented from doing so by selinux-policy. Running in permissive mode allows
vmware to function normally.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-56.fc8

How reproducible:
Always.

Steps to Reproduce:
1. Set SELinux enforcing mode.
2. Start VMWare workstation.
3. Start a guest OS and try to access the host's filesystem (which uses
vmware-smbd).
  
Actual results:
Step 3 hangs, while on the host avc denials are logged:
Nov 21 12:02:56 synth kernel: audit(1195675376.553:754248): avc:  denied  {
accept } for  pid=26272 comm="vmware-smbd" laddr=172.16.196.1 lport=139
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:system_r:vmware_host_t:s0 tclass=tcp_socket
(this continues indefinitely until vmware is killed or selinux is disabled)

In permissive mode, something like the following occurs instead:
Nov 27 11:58:06 synth kernel: audit(1196193486.147:16558306): avc:  denied  {
accept } for  pid=26272 comm="vmware-smbd" laddr=172.16.196.1 lport=139
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:system_r:vmware_host_t:s0 tclass=tcp_socket
Nov 27 11:58:06 synth kernel: audit(1196193486.148:16558307): avc:  denied  {
read } for  pid=572 comm="vmware-smbd" path="/dev/urandom" dev=tmpfs ino=2237
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Nov 27 11:58:06 synth kernel: audit(1196193486.508:16558308): avc:  denied  {
setgid } for  pid=572 comm="vmware-smbd" capability=6
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:system_r:vmware_host_t:s0 tclass=capability
Nov 27 11:58:06 synth kernel: audit(1196193486.553:16558309): avc:  denied  {
search } for  pid=572 comm="vmware-smbd" name="tmp" dev=sda1 ino=192001
scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
Nov 27 11:58:06 synth kernel: audit(1196193486.787:16558310): avc:  denied  {
search } for  pid=572 comm="vmware-smbd" name="/" dev=sda6 ino=2
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Nov 27 11:58:06 synth kernel: audit(1196193486.787:16558311): avc:  denied  {
search } for  pid=572 comm="vmware-smbd" name="ben" dev=sda6 ino=28442626
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
and so on.

Expected results:
Can browse host filesystem from guest OS, via Samba.

Additional info:
Obviously vmware is not a part of Fedora itself (our RPM is an internal one) and
so I'd not expect it to be supported officially by RedHat. It's thus surprising
that F8 includes policy for it. I'd quite happily run vmware unconfined if there
were a simple way of doing that (e.g. an "unconfined_vmware" boolean, or a way
to remove vmware.pp from the policy).

Looking at /etc/selinux/targeted/contexts/files/file_contexts, there seems to be
defined contexts for vmware binaries, and these match what's set up on our
filesystem:
$ ls -lZ /usr/bin/vmware-smb*
-rwxr-xr-x  root root system_u:object_r:vmware_host_exec_t /usr/bin/vmware-smbd
-rwxr-xr-x  root root system_u:object_r:vmware_host_exec_t /usr/bin/vmware-smbpasswd
-rwxr-xr-x  root root system_u:object_r:vmware_host_exec_t
/usr/bin/vmware-smbpasswd.bin

The process contexts also "look" correct:
$ ps -eZ |grep vmware
system_u:system_r:vmware_host_t 26179 ?        00:00:00 vmnet-bridge
system_u:system_r:vmware_host_t 26191 ?        00:00:00 vmnet-natd
system_u:system_r:vmware_host_t 26199 ?        00:00:00 vmnet-netifup
system_u:system_r:vmware_host_t 26200 ?        00:00:00 vmnet-netifup
system_u:system_r:vmware_host_t 26247 ?        00:00:00 vmnet-dhcpd
system_u:system_r:vmware_host_t 26251 ?        00:00:00 vmnet-dhcpd
system_u:system_r:vmware_host_t 26270 ?        00:01:34 vmware-nmbd
system_u:system_r:vmware_host_t 26272 ?        00:13:28 vmware-smbd
Comment 1 Daniel Walsh 2007-12-02 21:34:44 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-63.fc8
Comment 2 Daniel Walsh 2008-01-30 14:19:15 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.