Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- SELinux Policy Contraint Violation
- Allen Kistler
March 13, 2009, 10:55 pm
rate this thread
VMware-Tools on a Linux guest with SELinux enforcement enabled. I got a
ton of AVC denials related to vmware-guestd that I turned into a local
policy. I can handle that fine.
However, I also get denials that output the following when I run them
Was caused by: Policy constraint violation. May require adding a type
attribute to the domain or type to satisfy the constraint. Constraints
are defined in the policy sources in policy/constraints (general),
policy/mcs (MCS), and policy/mls (MLS).
vmware-guestd has (according to the denial logs) a domain of
vmware_host_t, which is the type used in my local policy.
So what does the error really mean (i.e., "constraint"), and how would I
Re: SELinux Policy Contraint Violation
So for future readers searching an archive, the answer is ...
The source context (vmware-guestd in this case) is at level
(sensitivity) s0 and the target context is at level (sensitivity and
SELinux in Fedora enforces a Bell-La Padula model (read-down/write-up).
Since vmware-guestd was running at level s0 (low sensitivity) and
attempting to read something at level s0-s0:c0.c1023 (low-high
sensitivity), nothing else mattered. It was denied by the read
constraint (i.e., no read-up).
The solution was to allow the source process to run at s0-s0:c0.c1023 so
that it could do pretty much whatever it wanted.
The following policy allows the vmware-tools init script to launch the
vmware-guestd process at the proper level.
range_transition initrc_t vmware_host_exec_t :
process s0 - s0:c0.c1023;
(Submitted to BZ with a fix soon to be released.)
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security