The reason the is being reported is that the setting of the boolean is being disregarded. This is after installing the latest kernel, '174. The command sequence is: # vmware-config-tools.pl # shutdown -r now # setsebool -P allow_mount_anyfile=1 # service vmware-tools restart The last command generates the error. However, the virtual filesystem is operational. Summary: SELinux prevented mount from mounting on the file or directory "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter". Detailed Description: SELinux prevented mount from mounting a filesystem on the file or directory "/usr/lib/vmware-tools/sbin32/vmware-hgfsmounter" of type "vmware_host_exec_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "vmware_host_exec_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access: Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." Fix Command: setsebool -P allow_mount_anyfile=1 Additional Information: Source Context unconfined_u:system_r:mount_t:s0 Target Context system_u:object_r:vmware_host_exec_t:s0 Target Objects /usr/lib/vmware-tools/sbin32/vmware-hgfsmounter [ file ] Source mount Source Path /bin/mount Port <Unknown> Host (removed) Source RPM Packages util-linux-ng-2.16.2-5.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-69.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_mount_anyfile Host Name (removed) Platform Linux (removed) 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 athlon Alert Count 2 First Seen Fri 22 Jan 2010 10:04:03 AM MST Last Seen Fri 22 Jan 2010 10:41:56 AM MST Local ID 3aae7a97-bb0e-4499-811a-9c85ed680ede Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1264182116.943:29): avc: denied { execute } for pid=5992 comm="mount" name="vmware-hgfsmounter" dev=dm-1 ino=164670 scontext=unconfined_u:system_r:mount_t:s0 tcontext=system_u:object_r:vmware_host_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1264182116.943:29): arch=40000003 syscall=11 success=no exit=-13 a0=bfa410a4 a1=bfa41078 a2=104b878 a3=bfa410a4 items=0 ppid=5991 pid=5992 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-69.fc12,allow_mount_anyfile,mount,mount_t,vmware_host_exec_t,file,execute audit2allow suggests: #============= mount_t ============== allow mount_t vmware_host_exec_t:file execute;
######################################## ## <summary> ## Execute vmware host executables ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`vmware_exec_host',` gen_require(` type vmware_host_exec_t; ') can_exec($1, vmware_host_exec_t) ') optional_policy(` vmware_exec_host(mount_t) ') Miroslav add ^^
Alfred, you can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Fixed in selinux-policy-3.6.32-77.fc12
selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-78.fc12
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1207
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.