Hi all
I've recently installed VMware 4.5.1 on Fedora 2 Test 2 with SELinux in
enforcing mode. The configuration process only works while enforce=0 and
after every reboot I get a message that VMware has not been configured yet
and I have to rerun the configuration and recreate the vmmon and vmnet
modules. During this I get a hell of a lot avc denied messages.
I'm quite new to SELinux but i'm guessing this is because there is no
default permission for VMware in the policy. Has anyone else tried this,
or perhaps get some help how to configure VMware to work alongside SELinux
?
VMware-workstation-4.5.1-7568
policy-1.11.2-8
kernel-2.6.5-1.326
Thanx
Show replies by date
I saw the additions to file_contexts in policy 1.11.2-9 and thought I give
it another try ;)
With enforce=1, vmware-config.pl produces
[root@Purgatory log]# vmware-config.pl
Can't open perl script "/usr/bin/vmware-config.pl": Permission denied
Apr 20 17:36:08 Purgatory kernel: audit(1082496968.198:0): avc: denied
{ read } for pid=4273 exe=/usr/bin/perl name=urandom dev=hda2 ino=596039
scontext=root:system_r:vmware_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Apr 20 17:36:08 Purgatory kernel: audit(1082496968.199:0): avc: denied
{ search } for pid=4273 exe=/usr/bin/perl name=bin dev=hda2 ino=1126081
scontext=root:system_r:vmware_t tcontext=system_u:object_r:bin_t tclass=dir
With enforce=0, it vmware-config.pl works ok and also starts the
VMservices alright.
So this works ! (see attached file of /var/log/messages)
(But ..) the problem again occurs if there is a change in the enforcing
mode (either with a restart or setenforce=1).
[root@Purgatory log]# service vmware stop
Apr 20 17:44:15 Purgatory kernel: audit(1082497454.955:0): avc: denied
{ search } for pid=5411 comm=vmnet-netifup name=vmnet1 dev= ino=25998
scontext=root:system_r:vmware_t tcontext=system_u:object_r:sysfs_t
tclass=dir
Apr 20 17:44:16 Purgatory kernel: audit(1082497456.081:0): avc: denied
{ unlink } for pid=5136 exe=/usr/bin/vmnet-natd name=vmnat.5136 dev=hda2
ino=2105474 scontext=root:system_r:vmware_t
tcontext=root:object_r:var_run_t tclass=sock_file
[root@Purgatory log]# setenforce 1
[root@Purgatory log]# service vmware start
Starting VMware services:
Virtual machine monitor [ OK ]
Virtual ethernet [ OK ]
Bridged networking on /dev/vmnet0 [FAILED]
Host-only networking on /dev/vmnet1 (background) [ OK ]
Host-only networking on /dev/vmnet8 (background) [ OK ]
NAT networking on /dev/vmnet8 [FAILED]
Apr 20 17:45:46 Purgatory kernel: audit(1082497546.084:0): avc: granted
{ setenforce } for pid=5869 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 20 17:46:00 Purgatory kernel: vmmon: module license 'unspecified'
taints kernel.
Apr 20 17:46:01 Purgatory kernel: parport0: PC-style at 0x3bc (0x7bc)
[PCSPP,TRISTATE]
Apr 20 17:46:01 Purgatory kernel: parport0: irq 7 detected
Apr 20 17:46:01 Purgatory kernel: vmnet: module license 'unspecified'
taints kernel.
Apr 20 17:46:01 Purgatory kernel: audit(1082497561.203:0): avc: denied
{ read write } for pid=5911 exe=/usr/bin/vmnet-bridge name=vmnet0
dev=hda2 ino=588039 scontext=root:system_r:vmware_t
tcontext=root:object_r:device_t tclass=chr_file
Apr 20 17:46:01 Purgatory kernel: audit(1082497561.454:0): avc: denied
{ read write } for pid=5933 exe=/usr/bin/vmnet-natd name=vmnet8 dev=hda2
ino=587693 scontext=root:system_r:vmware_t tcontext=root:object_r:device_t
tclass=chr_file
Apr 20 17:46:11 Purgatory kernel: audit(1082497571.268:0): avc: denied
{ read write } for pid=6190 exe=/usr/bin/vmnet-netifup name=vmnet1
dev=hda2 ino=587685 scontext=root:system_r:vmware_t
tcontext=root:object_r:device_t tclass=chr_fileApr 20 17:46:11 Purgatory
VMware[init]: /dev/vmnet1: Permission denied
Apr 20 17:46:11 Purgatory kernel: audit(1082497571.354:0): avc: denied
{ read write } for pid=6191 exe=/usr/bin/vmnet-netifup name=vmnet8
dev=hda2 ino=587693 scontext=root:system_r:vmware_t
tcontext=root:object_r:device_t tclass=chr_fileApr 20 17:46:11 Purgatory
VMware[init]: /dev/vmnet8: Permission denied
If I restart (with kernel parameter enforcing=1)
[root@Purgatory log]# service vmware start
VMware Workstation is installed, but it has not been (correctly) configured
for the running kernel. To (re-)configure it, invoke the
following command: /usr/bin/vmware-config.pl.
And were back to square 1 !
Hope all this helps,it took a while to get all the messages off ;)