diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index f1af431..cf2097d 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -28,12 +28,24 @@ HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+')
/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
ifdef(`distro_gentoo',`
/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -49,3 +61,8 @@ ifdef(`distro_gentoo',`
/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
')
+
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+
+/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index 47069cf..25d812c 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -202,3 +202,22 @@ interface(`vmware_append_system_config',`
allow $1 vmware_sys_conf_t:file append;
')
+
+########################################
+##
+## Append to VMWare log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vmware_append_log',`
+ gen_require(`
+ type vmware_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, vmware_log_t, vmware_log_t)
+')
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 622ed65..3320369 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
-policy_module(vmware,1.5.2)
+policy_module(vmware, 1.5.3)
########################################
#
@@ -15,6 +15,9 @@ type vmware_host_t;
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t,vmware_host_exec_t)
+type vmware_log_t;
+logging_log_file(vmware_log_t)
+
# Systemwide configuration files
type vmware_sys_conf_t;
files_type(vmware_sys_conf_t)
@@ -27,12 +30,13 @@ files_pid_file(vmware_var_run_t)
# VMWare host local policy
#
-allow vmware_host_t self:capability { setuid net_raw };
+allow vmware_host_t self:capability { setgid setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process signal_perms;
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
+allow vmware_host_t self:tcp_socket create_socket_perms;
# cjp: the ro and rw files should be split up
manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t)
@@ -41,6 +45,9 @@ manage_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
+manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+
kernel_read_kernel_sysctls(vmware_host_t)
kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
@@ -63,6 +70,7 @@ corenet_sendrecv_all_client_packets(vmware_host_t)
corenet_sendrecv_all_server_packets(vmware_host_t)
dev_read_sysfs(vmware_host_t)
+dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
@@ -90,6 +98,8 @@ userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
sysadm_dontaudit_search_home_dirs(vmware_host_t)
+netutils_domtrans_ping(vmware_host_t)
+
optional_policy(`
seutil_sigchld_newrole(vmware_host_t)
@@ -98,16 +108,3 @@ optional_policy(`
optional_policy(`
udev_read_db(vmware_host_t)
')
-netutils_domtrans_ping(vmware_host_t)
-
-ifdef(`TODO',`
-# VMWare need access to pcmcia devices for network
-optional_policy(`
-allow kernel_t cardmgr_var_lib_t:dir { getattr search };
-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
-')
-# Vmware create network devices
-allow kernel_t self:capability net_admin;
-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow kernel_t self:socket create;
-')