Allen Kistler wrote:
> I'm trying some things out in Fedora 11 Alpha. One of them is to put
> VMware-Tools on a Linux guest with SELinux enforcement enabled. I got a
> ton of AVC denials related to vmware-guestd that I turned into a local
> policy. I can handle that fine.
>
> However, I also get denials that output the following when I run them
> through audit2why.
>
> ---
> Was caused by: Policy constraint violation. May require adding a type
> attribute to the domain or type to satisfy the constraint. Constraints
> are defined in the policy sources in policy/constraints (general),
> policy/mcs (MCS), and policy/mls (MLS).
> ---
>
> vmware-guestd has (according to the denial logs) a domain of
> vmware_host_t, which is the type used in my local policy.
>
> So what does the error really mean (i.e., "constraint"), and how would I
> fix it?
So for future readers searching an archive, the answer is ...
The source context (vmware-guestd in this case) is at level
(sensitivity) s0 and the target context is at level (sensitivity and
category) s0:c0.c1023.
SELinux in Fedora enforces a Bell-La Padula model (read-down/write-up).
Since vmware-guestd was running at level s0 (low sensitivity) and
attempting to read something at level s0-s0:c0.c1023 (low-high
sensitivity), nothing else mattered. It was denied by the read
constraint (i.e., no read-up).
The solution was to allow the source process to run at s0-s0:c0.c1023 so
that it could do pretty much whatever it wanted.
The following policy allows the vmware-tools init script to launch the
vmware-guestd process at the proper level.
type initrc_t;
type vmware_host_exec_t;
sensitivity s0;
category c0;
category c1023;
range_transition initrc_t vmware_host_exec_t :
process s0 - s0:c0.c1023;
(Submitted to BZ with a fix soon to be released.)
FAQ
Search
Profile
Private Messages
Log in
Linux