Bug 442425 - SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks.
SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks.
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
x86_64 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2008-04-14 14:54 EDT by Lance French
Modified: 2009-12-25 04:19 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-16 13:37:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lance French 2008-04-14 14:54:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5

Description of problem:
This is the same bug in Bugzilla Bug 238360 with the only twist that the x86_64 version of vmware-tools places the tools in /usr/lib/vmware-tools/sbin64/ as opposed to /usr/lib/vmware-tools/sbin32/.  

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install and configure vmware-tools (workstation ver. 6) on a RHEL5 64 bit guest.
2. Reboot.

Actual Results:
SELinux is preventing /bin/mount (mount_t) "mount" to / (unlabeled_t).

Detailed Description

SELinux denied access requested by /bin/mount. It is not expected that this access is required by /bin/mount and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access

You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.

Additional Information

Source Context:  system_u:system_r:mount_t
Target Context:  system_u:object_r:unlabeled_t
Target Objects:  / [ filesystem ]
Affected RPM Packages:  util-linux-2.13-0.45.el5_1.1 [application]filesystem-2.4.0-1 [target]
Policy RPM:  selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  rhel5-vm
Platform:  Linux rhel5-vm 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:46 EST 2008 x86_64 x86_64
Alert Count:  4
Line Numbers:   Raw Audit Messages :avc: denied { mount } for comm="mount" dev=vmblock egid=0 euid=0 exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2080 scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0 suid=0 tclass=filesystem tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0 

Expected Results:
Expected to see /mnt/vmware-home pointing to my host OS home directory.

Additional info:
Comment 1 Daniel Walsh 2008-04-14 15:25:16 EDT
I can fix the labeling on the directory, but I do not see how this mount AVC you
are getting is affected by the labeling.

Comment 2 Daniel Walsh 2008-04-14 15:25:49 EDT
What is the type of the file system you are attempting to mount?
Comment 3 Lance French 2008-04-14 16:21:33 EDT
The other alert.

    SELinux prevented /bin/mount from mounting on the file or directory
    "/usr/lib/vmware-tools/sbin64/vmware-hgfsmounter" (type "lib_t").

Detailed Description
    SELinux prevented /bin/mount from mounting a filesystem on the file or
    directory "/usr/lib/vmware-tools/sbin64/vmware-hgfsmounter" of type "lib_t".
    By default SELinux limits the mounting of filesystems to only some files or
    directories (those with types that have the mountpoint attribute). The type
    "lib_t" does not have this attribute. You can either relabel the file or
    directory or set the boolean "allow_mount_anyfile" to true to allow mounting
    on any file or directory.

Allowing Access
    Changing the "allow_mount_anyfile" boolean to true will allow this access:
    "setsebool -P allow_mount_anyfile=1."

    The following command will allow this access:
    setsebool -P allow_mount_anyfile=1

Additional Information        

Source Context                system_u:system_r:mount_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib/vmware-tools/sbin64/vmware-hgfsmounter [
                              file ]
Affected RPM Packages         util-linux-2.13-0.45.el5_1.1
                              [application]VMwareTools-7241-80004 [target]
Policy RPM                    selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_mount_anyfile
Host Name                     rhel5-vm
Platform                      Linux rhel5-vm 2.6.18-53.1.14.el5 #1 SMP Tue Feb
                              19 07:18:46 EST 2008 x86_64 x86_64
Alert Count                   4
Line Numbers                  

Raw Audit Messages            

avc: denied { execute_no_trans } for comm="mount" dev=dm-0 egid=0 euid=0
exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/usr/lib/vmware-
tools/sbin64/vmware-hgfsmounter" pid=2034 scontext=system_u:system_r:mount_t:s0
sgid=0 subj=system_u:system_r:mount_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0

Comment 4 Lance French 2008-04-14 16:22:35 EDT
As for what filesystem I am trying to mount, I am not exactly sure how the
vmware-hgfsmounter works but I can tell you the host is a vista machine so I
would assume it's mounting an ntfs FS.
Comment 5 Daniel Walsh 2008-04-14 16:38:29 EDT
But if you 

chcon -R -t sbin_t  /usr/lib/vmware-tools/sbin64

Does it work?
Comment 6 Lance French 2008-04-14 16:57:33 EDT
Hmm, you are right.  It did not work.  I get a protocol error.

[root@rhel5-vm ~]# chcon -R -t sbin_t  /usr/lib/vmware-tools/sbin64
[root@rhel5-vm ~]# /sbin/mount.vmhgfs .host:/ /mnt/hgfs
Error: cannot mount filesystem: Protocol error
Comment 7 Lance French 2008-04-14 17:08:43 EDT
Argh, I am a boob.  It received a protocol error because there were no enabled
shares for that virtual machine.  I created one and it *is* working after the
context change.  
Comment 8 Daniel Walsh 2008-04-21 09:34:59 EDT
Fixed in selinux-policy-2.4.6-33.el5

Note You need to log in before you can comment on or make changes to this bug.