Bug 416671 - SELinux is preventing vmnet-netifup (vmware_host_t) "read write" access to device .
SELinux is preventing vmnet-netifup (vmware_host_t) "read write" access to de...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-08 13:28 EST by Bill Crooke
Modified: 2008-01-30 14:20 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:20:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SElinux log entry for vmware policy violation (2.46 KB, text/plain)
2007-12-08 13:28 EST, Bill Crooke
no flags Details

  None (edit)
Description Bill Crooke 2007-12-08 13:28:28 EST
Description of problem:

SELinux has denied the vmnet-netifup (vmware_host_t) "read write" access to
device . is mislabeled, this device has the default label of the /dev directory,
which should not happen. All Character and/or Block Devices should have a label.
You can attempt to change the label of the file using restorecon -v . If this
device remains labeled device_t, then this is a bug in SELinux policy. Please
file a bug report against the selinux-policy package. If you look at the other
similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for
, you can use chcon -t SIMILAR_TYPE , If this fixes the problem, you can make
this permanent by executing semanage fcontext -a -t SIMILAR_TYPE If the
restorecon changes the context, this indicates that the application that created
the device, created it without using SELinux APIs. If you can figure out which
application created the device, please file a bug report against this application.
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Bill Crooke 2007-12-08 13:28:28 EST
Created attachment 282071 [details]
SElinux log entry for vmware policy violation
Comment 2 Francesco 2007-12-09 09:16:16 EST
SELinux ha negato a /usr/bin/vmnet-bridge (vmware_host_t) l'accesso "read
write" al dispositivo <Unknown>. <Unknown> non è stato etichettato
correttamente, questo dispositivo possiede l'etichetta di default della
directory /dev, e questo non risulta essere corretto. Tutti i dispositivi a
blocchi e/o a caratteri, dovrebbero avere una etichetta. Potete modificare
l'etichetta del file utilizzando restorecon <Unknown>.  Se questo
dispositivo resta etichettato device_t, ciò risulterà essere un bug
relativo alla policy di SELinux. Vi preghiamo di inviare un
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi nei confronti del
pacchetto selinux-policy. Se controllate altre etichette simili del
dispositivo, ls -lZ /dev/SIMILAR, e trovate un tipo in grado di funzionare
con <Unknown>, potrete utilizzare chcon -t SIMILAR_TYPE <Unknown>,Se tale
operazione corregge il problema, è possibile rendere questa correzione
permanente eseguendo semanage fcontext -a -t SIMILAR_TYPE <Unknown> Se
restorecon modifica il contesto, ciò indicherà che l'applicazione che ha
creato il dispositivo, lo ha creato senza utilizzare le API di SELinux. Se
siete in grado di sapere quale applicazione ha creato il dispositivo, vi
preghiamo di inviare un http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
nei confronti di questa applicazione.

Abilitazione accesso in corso
Tentativo restorecon -v <Unknown> o chcon -t SIMILAR_TYPE <Unknown>

Informazioni aggiuntive       

Contesto della sorgente       system_u:system_r:vmware_host_t:s0
Contesto target               system_u:object_r:device_t:s0
Oggetti target                None [ chr_file ]
Pacchetti RPM interessati     VMwareWorkstation-6.0.2-59824 [application]
RPM della policy              selinux-policy-3.0.8-62.fc8
Selinux abilitato             True
Tipo di policy                targeted
MLS abilitato                 True
Modalità Enforcing           Enforcing
Nome plugin                   plugins.device
Host Name                     Fedora
Piattaforma                   Linux Fedora 2.6.23.8-63.fc8 #1 SMP Wed Nov 21
17:56:40 EST 2007 x86_64 x86_64
Conteggio allerte             1
First Seen                    dom 09 dic 2007 14:16:02 CET
Last Seen                     dom 09 dic 2007 14:16:02 CET
Local ID                      823fd498-00f9-40c8-b0f9-3bb639448688
Numeri di linea               

Messaggi Raw Audit            

avc: denied { read write } for comm=vmnet-bridge dev=tmpfs egid=0 euid=0
exe=/usr/bin/vmnet-bridge exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=vmnet0
pid=2239 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
Comment 3 Daniel Walsh 2007-12-10 09:43:22 EST
# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-68.fc8
Comment 4 Daniel Walsh 2008-01-30 14:20:22 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.