#DESC VMWare - Virtual machine
#
# Domains,types and permissions for running VMWare (the program) and for
# running a SELinux system in a VMWare session (the VMWare-tools).
#
# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), 
# modifications by NAI Labs.
#
# Domain is for the VMWare admin programs and daemons.
# X-Debian-Packages:
#
# NOTE: The user vmware domain is provided separately in 
# macros/program/vmware_macros.te
# 
# Next two domains are create by the daemon_domain() macro.
# The vmware_t domain is for running VMWare daemons
# The vmware_exec_t type is for the VMWare daemon and admin programs.
#
# quick hack making it privhome, should have a domain for each user in a macro
daemon_domain(vmware, `, privhome')

#
# The vmware_user_exec_t type is for the user programs.
#
type vmware_user_exec_t, file_type, sysadmfile, exec_type;

# Type for vmware devices.
type vmware_device_t, device_type, dev_fs;

# The sys configuration used for the /etc/vmware configuration files
type vmware_sys_conf_t, file_type, sysadmfile;

#########################################################################
# Additional rules to start/stop VMWare
#

# Give init access to VMWare configuration files
allow initrc_t vmware_sys_conf_t:file { ioctl read append };

#
# Rules added to kernel_t domain for VMWare to start up
#
# VMWare need access to pcmcia devices for network
ifdef(`cardmgr.te', `
allow kernel_t cardmgr_var_lib_t:dir { getattr search };
allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
')

# Vmware create network devices
allow kernel_t self:capability net_admin;
allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow kernel_t self:socket create;