Thursday 8th November 2007
Local Packages
Completed populating the Fedora 8 repository with builds of city-fan.org-release, perl-HTTP-Size, weblint, and weblint++
Fedora 8 and VMware Server
Upgraded my work desktop to Fedora 8 in the morning, and found I needed a few extra steps to get VMware Server up and running:
# rpm -Uvh VMware-server-1.0.4-56528.i386.rpm
Before configuring VMware Server, it's necessary to install a few additional packages, patch the kernel modules, and make an SELinux tweak. VMware defaults to using a reserved port (902) for the server; it's easier to make it play nice with SELinux by using an unreserved port such as 4800.
# yum install gcc-c++ kernel-devel xinetd 'perl(ExtUtils::MakeMaker)' # cd # wget http://knihovny.cvut.cz/ftp/pub/vmware/vmware-any-any-update114.tar.gz # semanage port -a -t inetd_child_port_t -p tcp 4800 # tar xf vmware-any-any-update114.tar.gz # cd vmware-any-any-update114 # ./runme.pl # restorecon -v /etc/services
![/!\](/moin_static1911/monobook/img/alert.png "/!\"){kind=small}
If you have a firewall enabled, you'll need to poke a hole in it to allow connections to port 4800 or whatever your chosen port is
SELinux in Fedora 8
Came across a new (to me) type of SELinux denial whilst trying to get a crontab entry like this one to work in Fedora 8:
45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates subset mirror report" phowarth
Even after adding all of the rules suggested by audit2allow -R in a local policy module, I was still getting Permission denied errors with SELinux in enforcing mode, but it was working in permissive mode.
In /var/log/audit/audit.log, I found this:
type=SELINUX_ERR msg=audit(1194609955.230:176): security_compute_sid: invalid context unconfined_u:unconfined_r:system_mail_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
After querying this on fedora-selinux-list, I found that auditallow doesn't currently cope with this sort of denial (which is not an AVC denial), and what I needed to add was:
role unconfined_r types system_mail_t;
So the policy module I ended up with to allow my mail from cron was this:
policy_module(localmisc, 0.0.8)
require {
type system_mail_t;
class netlink_route_socket { bind create getattr nlmsg_read read write };
}
#============= system_mail_t ==============
role unconfined_r types system_mail_t;
allow system_mail_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
unconfined_read_tmp_files(system_mail_t)