From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 Description of problem: This is the same bug in Bugzilla Bug 238360 with the only twist that the x86_64 version of vmware-tools places the tools in /usr/lib/vmware-tools/sbin64/ as opposed to /usr/lib/vmware-tools/sbin32/. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-106.el5_1.3 How reproducible: Always Steps to Reproduce: 1. Install and configure vmware-tools (workstation ver. 6) on a RHEL5 64 bit guest. 2. Reboot. Actual Results: SELinux is preventing /bin/mount (mount_t) "mount" to / (unlabeled_t). Detailed Description SELinux denied access requested by /bin/mount. It is not expected that this access is required by /bin/mount and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:mount_t Target Context: system_u:object_r:unlabeled_t Target Objects: / [ filesystem ] Affected RPM Packages: util-linux-2.13-0.45.el5_1.1 [application]filesystem-2.4.0-1 [target] Policy RPM: selinux-policy-2.4.6-106.el5_1.3 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall Host Name: rhel5-vm Platform: Linux rhel5-vm 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:46 EST 2008 x86_64 x86_64 Alert Count: 4 Line Numbers: Raw Audit Messages :avc: denied { mount } for comm="mount" dev=vmblock egid=0 euid=0 exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2080 scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0 suid=0 tclass=filesystem tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0 Expected Results: Expected to see /mnt/vmware-home pointing to my host OS home directory. Additional info:
I can fix the labeling on the directory, but I do not see how this mount AVC you are getting is affected by the labeling.
What is the type of the file system you are attempting to mount?
The other alert. Summary SELinux prevented /bin/mount from mounting on the file or directory "/usr/lib/vmware-tools/sbin64/vmware-hgfsmounter" (type "lib_t"). Detailed Description SELinux prevented /bin/mount from mounting a filesystem on the file or directory "/usr/lib/vmware-tools/sbin64/vmware-hgfsmounter" of type "lib_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "lib_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." The following command will allow this access: setsebool -P allow_mount_anyfile=1 Additional Information Source Context system_u:system_r:mount_t Target Context system_u:object_r:lib_t Target Objects /usr/lib/vmware-tools/sbin64/vmware-hgfsmounter [ file ] Affected RPM Packages util-linux-2.13-0.45.el5_1.1 [application]VMwareTools-7241-80004 [target] Policy RPM selinux-policy-2.4.6-106.el5_1.3 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_mount_anyfile Host Name rhel5-vm Platform Linux rhel5-vm 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:46 EST 2008 x86_64 x86_64 Alert Count 4 Line Numbers Raw Audit Messages avc: denied { execute_no_trans } for comm="mount" dev=dm-0 egid=0 euid=0 exe="/bin/mount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/usr/lib/vmware- tools/sbin64/vmware-hgfsmounter" pid=2034 scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0
As for what filesystem I am trying to mount, I am not exactly sure how the vmware-hgfsmounter works but I can tell you the host is a vista machine so I would assume it's mounting an ntfs FS.
But if you chcon -R -t sbin_t /usr/lib/vmware-tools/sbin64 Does it work?
Hmm, you are right. It did not work. I get a protocol error. [root@rhel5-vm ~]# chcon -R -t sbin_t /usr/lib/vmware-tools/sbin64 [root@rhel5-vm ~]# /sbin/mount.vmhgfs .host:/ /mnt/hgfs Error: cannot mount filesystem: Protocol error
Argh, I am a boob. It received a protocol error because there were no enabled shares for that virtual machine. I created one and it *is* working after the context change.
Fixed in selinux-policy-2.4.6-33.el5