Description of problem:
On updating from F7 to F8, VMWare workstation (4.5.3.19414) no longer works - it
is prevented from doing so by selinux-policy. Running in permissive mode allows
vmware to function normally.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-56.fc8

How reproducible:
Always.

Steps to Reproduce:
1. Set SELinux enforcing mode.
2. Start VMWare workstation.
3. Start a guest OS and try to access the host's filesystem (which uses
vmware-smbd).
  
Actual results:
Step 3 hangs, while on the host avc denials are logged:
Nov 21 12:02:56 synth kernel: audit(1195675376.553:754248): avc:  denied  {
accept } for  pid=26272 comm="vmware-smbd" laddr=172.16.196.1 lport=139
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:system_r:vmware_host_t:s0 tclass=tcp_socket
(this continues indefinitely until vmware is killed or selinux is disabled)

In permissive mode, something like the following occurs instead:
Nov 27 11:58:06 synth kernel: audit(1196193486.147:16558306): avc:  denied  {
accept } for  pid=26272 comm="vmware-smbd" laddr=172.16.196.1 lport=139
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:system_r:vmware_host_t:s0 tclass=tcp_socket
Nov 27 11:58:06 synth kernel: audit(1196193486.148:16558307): avc:  denied  {
read } for  pid=572 comm="vmware-smbd" path="/dev/urandom" dev=tmpfs ino=2237
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Nov 27 11:58:06 synth kernel: audit(1196193486.508:16558308): avc:  denied  {
setgid } for  pid=572 comm="vmware-smbd" capability=6
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:system_r:vmware_host_t:s0 tclass=capability
Nov 27 11:58:06 synth kernel: audit(1196193486.553:16558309): avc:  denied  {
search } for  pid=572 comm="vmware-smbd" name="tmp" dev=sda1 ino=192001
scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
Nov 27 11:58:06 synth kernel: audit(1196193486.787:16558310): avc:  denied  {
search } for  pid=572 comm="vmware-smbd" name="/" dev=sda6 ino=2
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Nov 27 11:58:06 synth kernel: audit(1196193486.787:16558311): avc:  denied  {
search } for  pid=572 comm="vmware-smbd" name="ben" dev=sda6 ino=28442626
scontext=system_u:system_r:vmware_host_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
and so on.

Expected results:
Can browse host filesystem from guest OS, via Samba.

Additional info:
Obviously vmware is not a part of Fedora itself (our RPM is an internal one) and
so I'd not expect it to be supported officially by RedHat. It's thus surprising
that F8 includes policy for it. I'd quite happily run vmware unconfined if there
were a simple way of doing that (e.g. an "unconfined_vmware" boolean, or a way
to remove vmware.pp from the policy).

Looking at /etc/selinux/targeted/contexts/files/file_contexts, there seems to be
defined contexts for vmware binaries, and these match what's set up on our
filesystem:
$ ls -lZ /usr/bin/vmware-smb*
-rwxr-xr-x  root root system_u:object_r:vmware_host_exec_t /usr/bin/vmware-smbd
-rwxr-xr-x  root root system_u:object_r:vmware_host_exec_t /usr/bin/vmware-smbpasswd
-rwxr-xr-x  root root system_u:object_r:vmware_host_exec_t
/usr/bin/vmware-smbpasswd.bin

The process contexts also "look" correct:
$ ps -eZ |grep vmware
system_u:system_r:vmware_host_t 26179 ?        00:00:00 vmnet-bridge
system_u:system_r:vmware_host_t 26191 ?        00:00:00 vmnet-natd
system_u:system_r:vmware_host_t 26199 ?        00:00:00 vmnet-netifup
system_u:system_r:vmware_host_t 26200 ?        00:00:00 vmnet-netifup
system_u:system_r:vmware_host_t 26247 ?        00:00:00 vmnet-dhcpd
system_u:system_r:vmware_host_t 26251 ?        00:00:00 vmnet-dhcpd
system_u:system_r:vmware_host_t 26270 ?        00:01:34 vmware-nmbd
system_u:system_r:vmware_host_t 26272 ?        00:13:28 vmware-smbd