#DESC VMWare - Virtual machine

#

# Domains,types and permissions for running VMWare (the program) and for

# running a SELinux system in a VMWare session (the VMWare-tools).

#

# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), 

# modifications by NAI Labs.

#

# Domain is for the VMWare admin programs and daemons.

# X-Debian-Packages:

#

# NOTE: The user vmware domain is provided separately in 

# macros/program/vmware_macros.te

# 

# Next two domains are create by the daemon_domain() macro.

# The vmware_t domain is for running VMWare daemons

# The vmware_exec_t type is for the VMWare daemon and admin programs.

#

# quick hack making it privhome, should have a domain for each user in a macro

daemon_domain(vmware, `, privhome')

#

# The vmware_user_exec_t type is for the user programs.

#

type vmware_user_exec_t, file_type, sysadmfile, exec_type;

# Type for vmware devices.

type vmware_device_t, device_type, dev_fs;

# The sys configuration used for the /etc/vmware configuration files

type vmware_sys_conf_t, file_type, sysadmfile;

#########################################################################

# Additional rules to start/stop VMWare

#

# Give init access to VMWare configuration files

allow initrc_t vmware_sys_conf_t:file { ioctl read append };

#

# Rules added to kernel_t domain for VMWare to start up

#

# VMWare need access to pcmcia devices for network

ifdef(`cardmgr.te', `

allow kernel_t cardmgr_var_lib_t:dir { getattr search };

allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };

')

# Vmware create network devices

allow kernel_t self:capability net_admin;

allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };

allow kernel_t self:socket create;