Running latest rawhide, targeted/enforcing.
I'm testing the latest vmware beta (6?).
Seems to want to mount on /proc/fs/vmware-block/mountPoint: none on /proc/fs/vmware-block/mountPoint type vmware-block (rw)
This produces the following AVC during boot:
type=AVC msg=audit(1167500297.368:6): avc: denied { mount } for pid=2225 comm="mount" name="/" dev=vmware-block ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1167500297.368:6): arch=40000003 syscall=21 success=yes exit=0 a0=937cdd8 a1=937ce00 a2=937cde8 a3=c0ed0000 items=0 ppid=2212 pid=2225 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
I believe this is the associated AVC from 'unmount' during shutdown:
type=AVC msg=audit(1167502331.621:34): avc: denied { unmount } for pid=4269 comm="umount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1167502331.621:34): arch=40000003 syscall=22 success=yes exit=0 a0=9f20120 a1=bffc51f0 a2=9f20148 a3=9f20121 items=0 ppid=4268 pid=4269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)
This appears to be the script from /etc/init.d/vmware:
# Start the file system blocking driver vmware_start_vmblock() { mkdir -p /tmp/VMwareDnD && chmod 777 /tmp/VMwareDnD vmware_exec 'Loading module' vmware_load_module $vmblock exitcode=`expr $exitcode + $?` mount -t vmware-block none /proc/fs/vmware-block/mountPoint }
# Stop the file system blocking driver vmware_stop_vmblock() { umount /proc/fs/vmware-block/mountPoint vmware_unload_module $vmblock }
Right way to fix?
tom
Tom London wrote:
Running latest rawhide, targeted/enforcing.
I'm testing the latest vmware beta (6?).
Seems to want to mount on /proc/fs/vmware-block/mountPoint: none on /proc/fs/vmware-block/mountPoint type vmware-block (rw)
This produces the following AVC during boot:
type=AVC msg=audit(1167500297.368:6): avc: denied { mount } for pid=2225 comm="mount" name="/" dev=vmware-block ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1167500297.368:6): arch=40000003 syscall=21 success=yes exit=0 a0=937cdd8 a1=937ce00 a2=937cde8 a3=c0ed0000 items=0 ppid=2212 pid=2225 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
I believe this is the associated AVC from 'unmount' during shutdown:
type=AVC msg=audit(1167502331.621:34): avc: denied { unmount } for pid=4269 comm="umount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1167502331.621:34): arch=40000003 syscall=22 success=yes exit=0 a0=9f20120 a1=bffc51f0 a2=9f20148 a3=9f20121 items=0 ppid=4268 pid=4269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)
This appears to be the script from /etc/init.d/vmware:
# Start the file system blocking driver vmware_start_vmblock() { mkdir -p /tmp/VMwareDnD && chmod 777 /tmp/VMwareDnD vmware_exec 'Loading module' vmware_load_module $vmblock exitcode=`expr $exitcode + $?` mount -t vmware-block none /proc/fs/vmware-block/mountPoint }
# Stop the file system blocking driver vmware_stop_vmblock() { umount /proc/fs/vmware-block/mountPoint vmware_unload_module $vmblock }
Right way to fix?
tom
This looks like we need a genfscon for a vmware-block type file system.
Perhaps adding these lines and then some interface to allow vmware to access the filesystem, would work?
# # vmwarefs_t is the type for vmware file systems # filesystems and their files. # type vmwarefs_t; fs_noxattr_type(vmwarefs_t) allow vmwarefs_t fs_t:filesystem associate; genfscon vmware-block / gen_context(system_u:object_r:vmwarefs_t,s0)
On 1/2/07, Daniel J Walsh dwalsh@redhat.com wrote:
This looks like we need a genfscon for a vmware-block type file system.
Perhaps adding these lines and then some interface to allow vmware to access the filesystem, would work?
# # vmwarefs_t is the type for vmware file systems # filesystems and their files. # type vmwarefs_t; fs_noxattr_type(vmwarefs_t) allow vmwarefs_t fs_t:filesystem associate; genfscon vmware-block / gen_context(system_u:object_r:vmwarefs_t,s0)
OK thanks. I'll try to poke around using this as a start....
tom
selinux@lists.fedoraproject.org