I've been using Fedora and SELinux for over a year now. And so far I've
been able to succesfully confine some apps with SELinux context types,
however now I seem to be facing a challenge since I can't get vmware
process to work under vmware_t domain.

The process however does transition correctly toward vmware_t, but even
when I have granted the proper permissions, vmware isn't finding the kernel
modules, hence not starting.

Nonetheless I can sucessfully run vmware process under staff_t domain, of
course by granting the proper permission through a SELinux module.

Specifically the permission needed to do this under staff_t is:

allow vmware_t modules_object_t:file { getatt read open map };

Which allows me to correctly run vmware within the staff_t domain.

This doesn't happen at all if I attempt to use either the vmware_t or the
user_t domain, even though audit2allow doesn't reveal any AVC denial
preventing any of these domains from mapping the modules_object_t domain.
I've also gone through audit.log and there's nothing preventing the mapping
or access to that particular domain.

Currenlty I'm usin the Kernel 4.11.8 for Fedora 27 and vmware works fine
except when I try to run the process under vmware_t.

I'm lost at this point. And I'm sure this is a SELinux issue, since if I
set it to permissive vmware runs properly, but again, and with the module
in place granting access, audit2allow doesn't reveal anything.

I will greatly appreciatte any help or advice in this matter.

Best Regards.
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Reply via email to