SELinux fix for /dev/vmnet* devices with Fedora 12...

rbroberts · ‎03-12-2010

When the vmnet module is loaded, the /dev/vmnet* devices are created with contexts like so:

root@aristarchus ~# ls -Z /dev/vmnet*
crw-----. root root unconfined_u:object_r:device_t:SystemLow /dev/vmnet0
crw---. root root unconfined_u:object_r:device_t:SystemLow /dev/vmnet1
crw-----. root root unconfined_u:object_r:device_t:SystemLow /dev/vmnet8

This triggers various SELinux warnings as they should have contexts of

root@aristarchus ~# ls -Z /dev/vmnet*
crw-----. root root system_u:object_r:vmware_device_t:SystemLow /dev/vmnet0
crw---. root root system_u:object_r:vmware_device_t:SystemLow /dev/vmnet1
crw-----. root root system_u:object_r:vmware_device_t:SystemLow /dev/vmnet8

In fact, the above is what "restorecon -v /dev/vmnet*"produces.

The long-term fix to avoid having to run restorecon by hand is to modify /etc/rc.d/init.d/vmware to call restorecon immediately after loading the vmnet module. Here is a patch:

root@aristarchus # diff -uw /etc/rc.d/init.d/vmware /etc/rc.d/init.d/vmware
--- /etc/rc.d/init.d/vmware~ 2010-03-12 10:29:43.000000000 -0500
+ /etc/rc.d/init.d/vmware 2010-03-12 10:28:18.000000000 -0500
@@ -144,6 +144,7 @@
vmwareStartVmnet() {
vmwareLoadModule $vnet
"$BINDIR"/vmware-networks --start >> $VNETLIB_LOG 2>&1
+ -x /sbin/restorecon && /sbin/restorecon /dev/vmnet*
}
# Stop the virtual ethernet kernel service

The above makes it possible for me to now put my system in enforcing mode

rbroberts · ‎03-19-2010

As it turns out, the above is not quite enough. It would appear that the vmware-networks --start both creates the device nodes and accesses them, so there is no real opportunity to change/restore the context. So I'm not out of the woods.

All

SELinux fix for /dev/vmnet* devices with Fedora 12 as Host