|
Chris PeBenito |
0fbfa5 |
# Macro for vmware
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
|
|
Chris PeBenito |
0fbfa5 |
# modifications by NAI Labs.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Turned into a macro by Thomas Bleher <ThomasBleher@gmx.de>
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# vmware_domain(domain_prefix)
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Define a derived domain for the vmware program when executed by
|
|
Chris PeBenito |
0fbfa5 |
# a user domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# The type declaration for the executable type for this program is
|
|
Chris PeBenito |
0fbfa5 |
# provided separately in domains/program/vmware.te. This file also
|
|
Chris PeBenito |
0fbfa5 |
# implements a separate domain vmware_t.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
define(`vmware_domain', `
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Domain for the user applications to run in.
|
|
Chris PeBenito |
0fbfa5 |
type $1_vmware_t, domain, privmem;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
role $1_r types $1_vmware_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The user file type is for files created when the user is running VMWare
|
|
Chris PeBenito |
0fbfa5 |
type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The user file type for the VMWare configuration files
|
|
Chris PeBenito |
0fbfa5 |
type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#############################################################
|
|
Chris PeBenito |
0fbfa5 |
# User rules for running VMWare
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Transition to VMWare user domain
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
|
|
Chris PeBenito |
0fbfa5 |
can_exec($1_vmware_t, vmware_user_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib($1_vmware_t)
|
|
Chris PeBenito |
0fbfa5 |
var_run_domain($1_vmware)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
general_domain_access($1_vmware_t);
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Capabilities needed by VMWare for the user execution. This seems a
|
|
Chris PeBenito |
0fbfa5 |
# bit too much, so be careful.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access to ttys
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t privfd:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access /proc
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_vmware_t, proc_t)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t proc_net_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t proc_net_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access to some files in the user home directory
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_vmware_t, $1_home_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access to runtime files for user
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_vmware_t, vmware_sys_conf_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow $1_vmware_t to read/write files in the tmp dir
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain($1_vmware)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_vmware_tmp_t:file execute;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow read access to several paths
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_vmware_t, etc_t)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t etc_runtime_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t device_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t var_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t tmpfs_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow vmware to write to ~/.vmware
|
|
Chris PeBenito |
0fbfa5 |
rw_dir_create_file($1_vmware_t, $1_vmware_file_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# This is bad; VMWare needs execute permission to the .cfg file for the
|
|
Chris PeBenito |
0fbfa5 |
# configuration to run.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_vmware_conf_t:file execute;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access X11 config files
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t lib_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access components of VMWare in /usr/lib/vmware/bin by default
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t bin_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow access to lp port (Need to create an lp device domain )
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t device_t:chr_file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow access to /dev/mem
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t memory_device_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow access to mouse
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t mouse_device_t:chr_file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow access the sound device
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t sound_device_t:chr_file { ioctl write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow removable media and devices
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t removable_device_t:blk_file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t device_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow access to the real time clock device
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t clock_device_t:chr_file read;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow to attach to Xserver, and Xserver to attach back
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`gnome-pty-helper.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_gph_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`startx.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_xserver_tmp_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_xserver_t $1_vmware_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow filesystem read access
|
|
Chris PeBenito |
0fbfa5 |
allow $1_vmware_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|