diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index a2d4609..5872ea2 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -20,7 +20,7 @@ HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -55,7 +55,7 @@ ifdef(`distro_gentoo',`
/opt/vmware/(workstation|player)/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/opt/vmware/(workstation|player)/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/opt/vmware/(workstation|player)/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
/opt/vmware/(workstation|player)/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index 80afe1f..853f575 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -32,6 +32,24 @@ interface(`vmware_role',`
########################################
##
+## Execute vmware host executables
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vmware_exec_host',`
+ gen_require(`
+ type vmware_host_exec_t;
+ ')
+
+ can_exec($1, vmware_host_exec_t)
+')
+
+########################################
+##
## Read VMWare system configuration files.
##
##
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index b540555..1f803bb 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,4 +1,4 @@
-policy_module(vmware, 2.2.0)
+policy_module(vmware, 2.2.1)
########################################
#
@@ -31,6 +31,10 @@ init_daemon_domain(vmware_host_t, vmware_host_exec_t)
type vmware_host_pid_t alias vmware_var_run_t;
files_pid_file(vmware_host_pid_t)
+type vmware_host_tmp_t;
+files_tmp_file(vmware_host_tmp_t)
+ubac_constrained(vmware_host_tmp_t)
+
type vmware_log_t;
typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
@@ -76,8 +80,16 @@ allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
allow vmware_host_t self:tcp_socket create_socket_perms;
+can_exec(vmware_host_t, vmware_host_exec_t)
+
# cjp: the ro and rw files should be split up
manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
@@ -88,6 +100,7 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
kernel_read_kernel_sysctls(vmware_host_t)
kernel_read_system_state(vmware_host_t)
+kernel_read_network_state(vmware_host_t)
corenet_all_recvfrom_unlabeled(vmware_host_t)
corenet_all_recvfrom_netlabel(vmware_host_t)