Chris PeBenito 0fbfa5
# Macro for vmware
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), 
Chris PeBenito 0fbfa5
# modifications by NAI Labs.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Turned into a macro by Thomas Bleher <ThomasBleher@gmx.de>
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# vmware_domain(domain_prefix)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Define a derived domain for the vmware program when executed by
Chris PeBenito 0fbfa5
# a user domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# The type declaration for the executable type for this program is
Chris PeBenito 0fbfa5
# provided separately in domains/program/vmware.te. This file also
Chris PeBenito 0fbfa5
# implements a separate domain vmware_t.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
 
Chris PeBenito 0fbfa5
define(`vmware_domain', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Domain for the user applications to run in.
Chris PeBenito 0fbfa5
type $1_vmware_t, domain, privmem;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
role $1_r types $1_vmware_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The user file type is for files created when the user is running VMWare
Chris PeBenito 0fbfa5
type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The user file type for the VMWare configuration files
Chris PeBenito 0fbfa5
type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#############################################################
Chris PeBenito 0fbfa5
# User rules for running VMWare
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Transition to VMWare user domain
Chris PeBenito 0fbfa5
domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
Chris PeBenito 0fbfa5
can_exec($1_vmware_t, vmware_user_exec_t)
Chris PeBenito 0fbfa5
uses_shlib($1_vmware_t)
Chris PeBenito 0fbfa5
var_run_domain($1_vmware)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
general_domain_access($1_vmware_t);
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Capabilities needed by VMWare for the user execution. This seems a 
Chris PeBenito 0fbfa5
# bit too much, so be careful.
Chris PeBenito 0fbfa5
allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access to ttys
Chris PeBenito 0fbfa5
allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1_vmware_t privfd:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access /proc
Chris PeBenito 0fbfa5
r_dir_file($1_vmware_t, proc_t)
Chris PeBenito 0fbfa5
allow $1_vmware_t proc_net_t:dir search;
Chris PeBenito 0fbfa5
allow $1_vmware_t proc_net_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access to some files in the user home directory
Chris PeBenito 0fbfa5
r_dir_file($1_vmware_t, $1_home_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access to runtime files for user
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
Chris PeBenito 0fbfa5
r_dir_file($1_vmware_t, vmware_sys_conf_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow $1_vmware_t to read/write files in the tmp dir
Chris PeBenito 0fbfa5
tmp_domain($1_vmware)
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_vmware_tmp_t:file execute;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow read access to several paths
Chris PeBenito 0fbfa5
r_dir_file($1_vmware_t, etc_t)
Chris PeBenito 0fbfa5
allow $1_vmware_t etc_runtime_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow $1_vmware_t device_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow $1_vmware_t var_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow $1_vmware_t tmpfs_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow vmware to write to ~/.vmware
Chris PeBenito 0fbfa5
rw_dir_create_file($1_vmware_t, $1_vmware_file_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# This is bad; VMWare needs execute permission to the .cfg file for the
Chris PeBenito 0fbfa5
# configuration to run.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_vmware_conf_t:file execute;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access X11 config files
Chris PeBenito 0fbfa5
allow $1_vmware_t lib_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access components of VMWare in /usr/lib/vmware/bin by default
Chris PeBenito 0fbfa5
allow $1_vmware_t bin_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow access to lp port (Need to create an lp device domain )
Chris PeBenito 0fbfa5
allow $1_vmware_t device_t:chr_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow access to /dev/mem
Chris PeBenito 0fbfa5
allow $1_vmware_t memory_device_t:chr_file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow access to mouse
Chris PeBenito 0fbfa5
allow $1_vmware_t mouse_device_t:chr_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow access the sound device 
Chris PeBenito 0fbfa5
allow $1_vmware_t sound_device_t:chr_file { ioctl write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow removable media and devices
Chris PeBenito 0fbfa5
allow $1_vmware_t removable_device_t:blk_file r_file_perms;
Chris PeBenito 0fbfa5
allow $1_vmware_t device_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow access to the real time clock device
Chris PeBenito 0fbfa5
allow $1_vmware_t clock_device_t:chr_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow to attach to Xserver, and Xserver to attach back
Chris PeBenito 0fbfa5
ifdef(`gnome-pty-helper.te', `
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_gph_t:fd use;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`startx.te', `
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_xserver_tmp_t:dir search;
Chris PeBenito 0fbfa5
allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
Chris PeBenito 0fbfa5
allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
Chris PeBenito 0fbfa5
allow $1_xserver_t $1_vmware_t:fd use;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow filesystem read access
Chris PeBenito 0fbfa5
allow $1_vmware_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5