diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc index f1af431..cf2097d 100644 --- a/policy/modules/apps/vmware.fc +++ b/policy/modules/apps/vmware.fc @@ -28,12 +28,24 @@ HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) /usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) +/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) + +ifdef(`distro_redhat',` +/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +') /usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) /usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) + +/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) ifdef(`distro_gentoo',` /opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) @@ -49,3 +61,8 @@ ifdef(`distro_gentoo',` /opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) /opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) ') + +/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) + +/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) +/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if index 47069cf..25d812c 100644 --- a/policy/modules/apps/vmware.if +++ b/policy/modules/apps/vmware.if @@ -202,3 +202,22 @@ interface(`vmware_append_system_config',` allow $1 vmware_sys_conf_t:file append; ') + +######################################## +## +## Append to VMWare log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`vmware_append_log',` + gen_require(` + type vmware_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, vmware_log_t, vmware_log_t) +') diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index 622ed65..3320369 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -1,5 +1,5 @@ -policy_module(vmware,1.5.2) +policy_module(vmware, 1.5.3) ######################################## # @@ -15,6 +15,9 @@ type vmware_host_t; type vmware_host_exec_t; init_daemon_domain(vmware_host_t,vmware_host_exec_t) +type vmware_log_t; +logging_log_file(vmware_log_t) + # Systemwide configuration files type vmware_sys_conf_t; files_type(vmware_sys_conf_t) @@ -27,12 +30,13 @@ files_pid_file(vmware_var_run_t) # VMWare host local policy # -allow vmware_host_t self:capability { setuid net_raw }; +allow vmware_host_t self:capability { setgid setuid net_raw }; dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process signal_perms; allow vmware_host_t self:fifo_file rw_fifo_file_perms; allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; allow vmware_host_t self:rawip_socket create_socket_perms; +allow vmware_host_t self:tcp_socket create_socket_perms; # cjp: the ro and rw files should be split up manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t) @@ -41,6 +45,9 @@ manage_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t) manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t) files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file }) +manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) +logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) + kernel_read_kernel_sysctls(vmware_host_t) kernel_list_proc(vmware_host_t) kernel_read_proc_symlinks(vmware_host_t) @@ -63,6 +70,7 @@ corenet_sendrecv_all_client_packets(vmware_host_t) corenet_sendrecv_all_server_packets(vmware_host_t) dev_read_sysfs(vmware_host_t) +dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) domain_use_interactive_fds(vmware_host_t) @@ -90,6 +98,8 @@ userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) sysadm_dontaudit_search_home_dirs(vmware_host_t) +netutils_domtrans_ping(vmware_host_t) + optional_policy(` seutil_sigchld_newrole(vmware_host_t) @@ -98,16 +108,3 @@ optional_policy(` optional_policy(` udev_read_db(vmware_host_t) ') -netutils_domtrans_ping(vmware_host_t) - -ifdef(`TODO',` -# VMWare need access to pcmcia devices for network -optional_policy(` -allow kernel_t cardmgr_var_lib_t:dir { getattr search }; -allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; -') -# Vmware create network devices -allow kernel_t self:capability net_admin; -allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow kernel_t self:socket create; -')