Vmware not working under vmware_t context type

asked 2018-02-02 13:45:28 -0600

updated 2018-02-08 21:46:32 -0600

aeperezt gravatar image

Hello.

I've been using Fedora and SELinux for over a year now. And so far I've benn able to succesfully confine some apps with SELinux context types, however now I seem to be facing a challenge since I can't get vmware process to work under vmware_t domain.

The process however does transition correctly toward vmware_t, but even when I have granted the proper permissions, vmware isn't finding the kernel modules, hence not starting.

Nonetheless I can sucessfully run vmware process under staff_t domain, of course by granting the proper permission through a SELinux module.

Specifically the permission needed to do this under staff_t is:

allow vmwaret modulesobject_t:file { getatt read open map };

Which allows me to correctly run vmware within the staff_t domain.

This doesn't happen at all if I attempt to use either the vmwaret or the usert domain, even though audit2allow doesn't reveal any AVC denial preventing any of these domains from mapping the modulesobjectt domain. I've also gone through audit.log and there's nothing preventing the mapping or access to that particular domain.

Currenlty I'm usin the Kernel 4.11.8 for Fedora 27 and vmware works fine except when I try to run the process under vmware_t.

I'm lost at this point. And I'm sure this is a SELinux issue, since if I set it to permissive vmware runs properly, but again and with the module in place granting access, audit2allow doesn't reveal anything.

I will greatly appreciatte any help or advice in this matter.

edit retag flag offensive close merge delete