SELinux Policy Contraint Violation

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm trying some things out in Fedora 11 Alpha.  One of them is to put
VMware-Tools on a Linux guest with SELinux enforcement enabled.  I got a
ton of AVC denials related to vmware-guestd that I turned into a local
policy.  I can handle that fine.

However, I also get denials that output the following when I run them
through audit2why.

Was caused by: Policy constraint violation.  May require adding a type
attribute to the domain or type to satisfy the constraint.  Constraints
are defined in the policy sources in policy/constraints (general),
policy/mcs (MCS), and policy/mls (MLS).

vmware-guestd has (according to the denial logs) a domain of
vmware_host_t, which is the type used in my local policy.

So what does the error really mean (i.e., "constraint"), and how would I
fix it?

Re: SELinux Policy Contraint Violation

Allen Kistler wrote:
Quoted text here. Click to load it

So for future readers searching an archive, the answer is ...

The source context (vmware-guestd in this case) is at level
(sensitivity) s0 and the target context is at level (sensitivity and
category) s0:c0.c1023.

SELinux in Fedora enforces a Bell-La Padula model (read-down/write-up).
  Since vmware-guestd was running at level s0 (low sensitivity) and
attempting to read something at level s0-s0:c0.c1023 (low-high
sensitivity), nothing else mattered.  It was denied by the read
constraint (i.e., no read-up).

The solution was to allow the source process to run at s0-s0:c0.c1023 so
that it could do pretty much whatever it wanted.

The following policy allows the vmware-tools init script to launch the
vmware-guestd process at the proper level.

type initrc_t;
type vmware_host_exec_t;
sensitivity s0;
category c0;
category c1023;
range_transition initrc_t vmware_host_exec_t :
  process s0 - s0:c0.c1023;

(Submitted to BZ with a fix soon to be released.)

Site Timeline