PDA

View Full Version : FC8 SELInux versus VMware WS 6

hokousha
12th December 2007, 12:48 PM
So it seems that VMware Workstation 6 and the current SELinux policy for FC8 don't play well together. After ensuring that I have the latest policy, trying to run the binary generates a bunch of AVC messages, to begin with:

SELinux is preventing /lib/ld-2.7.so from making the program stack executable.
SELinux is preventing /usr/lib/vmware/bin/vmware from changing a writable memory segment executable.

I see that FC8 does provide a policy module for VMware, and indeed the script that starts the program (/usr/bin/vmware) is correctly labeled vmware_exec_t, but obviously there are problems. One thing I see is that the actual VMware executables (in /usr/lib/vmware/bin) have a mixed set of labels:

-r-xr-xr-x root root system_u:object_r:vmware_exec_t:s0 vmplayer
-r-xr-xr-x root root system_u:object_r:bin_t:s0 vmrun
-r-xr-xr-x root root system_u:object_r:bin_t:s0 vmware
-r-xr-xr-x root root system_u:object_r:bin_t:s0 vmware-acetool
-r-xr-xr-x root root system_u:object_r:bin_t:s0 vmware-tray
-r-sr-xr-x root root system_u:object_r:vmware_host_exec_t:s0 vmware-vmx

but after relabeling, nothing changed. Are there some steps I need to take to make the software usable?

Thanks!
drunkahol
12th December 2007, 01:20 PM
Mine is working fully. Don't remember any problems in getting it going.

Have a look at the SELinuxtroubleshooter application. It lets you know why things have been refused access.

Cheers

Duncan
SlowJet
12th December 2007, 01:41 PM

SELinux is preventing /lib/ld-2.7.so from making the program stack executable.
SELinux is preventing /usr/lib/vmware/bin/vmware from changing a writable memory segment executable.

Those are memory boolean concerning the memory protection features in the kernel.
Try selinux management tool, boolean, global, far right column exec(mem,stack, ...)

SJ
XulChris
12th December 2007, 11:40 PM
I'm not sure if this helps, but I got vmware working with selinux-policy-3.0.8-68.fc8 (yum --enablerepo=updates-testing update selinux-policy), and the module shown here:
https://bugzilla.redhat.com/show_bug.cgi?id=422331

Hope this helps.
hokousha
13th December 2007, 03:08 AM
Thanks! I'll try out the updated policy and your modifications. Currently I'm running the stock policy selinux-policy-3.0.8-62.fc8.