134 lines
4.1 KiB
Plaintext
134 lines
4.1 KiB
Plaintext
|
# Macro for vmware
|
||
|
#
|
||
|
# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
|
||
|
# modifications by NAI Labs.
|
||
|
#
|
||
|
# Turned into a macro by Thomas Bleher <ThomasBleher@gmx.de>
|
||
|
#
|
||
|
# vmware_domain(domain_prefix)
|
||
|
#
|
||
|
# Define a derived domain for the vmware program when executed by
|
||
|
# a user domain.
|
||
|
#
|
||
|
# The type declaration for the executable type for this program is
|
||
|
# provided separately in domains/program/vmware.te. This file also
|
||
|
# implements a separate domain vmware_t.
|
||
|
#
|
||
|
|
||
|
define(`vmware_domain', `
|
||
|
|
||
|
# Domain for the user applications to run in.
|
||
|
type $1_vmware_t, domain, privmem;
|
||
|
|
||
|
role $1_r types $1_vmware_t;
|
||
|
|
||
|
# The user file type is for files created when the user is running VMWare
|
||
|
type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
|
||
|
|
||
|
# The user file type for the VMWare configuration files
|
||
|
type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
|
||
|
|
||
|
# for compatibility with older policy versions
|
||
|
typealias $1_vmware_t alias vmware_$1_t;
|
||
|
typealias $1_vmware_file_t alias vmware_$1_file_t;
|
||
|
typealias $1_vmware_conf_t alias vmware_$1_conf_t;
|
||
|
|
||
|
#############################################################
|
||
|
# User rules for running VMWare
|
||
|
#
|
||
|
# Transition to VMWare user domain
|
||
|
domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
|
||
|
can_exec($1_vmware_t, vmware_user_exec_t)
|
||
|
uses_shlib($1_vmware_t)
|
||
|
var_run_domain($1_vmware)
|
||
|
|
||
|
general_domain_access($1_vmware_t);
|
||
|
|
||
|
# Capabilities needed by VMWare for the user execution. This seems a
|
||
|
# bit too much, so be careful.
|
||
|
allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
|
||
|
|
||
|
# Access to ttys
|
||
|
allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
|
||
|
allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
|
||
|
allow $1_vmware_t privfd:fd use;
|
||
|
|
||
|
# Access /proc
|
||
|
r_dir_file($1_vmware_t, proc_t)
|
||
|
allow $1_vmware_t proc_net_t:dir search;
|
||
|
allow $1_vmware_t proc_net_t:file { getattr read };
|
||
|
|
||
|
# Access to some files in the user home directory
|
||
|
r_dir_file($1_vmware_t, $1_home_t)
|
||
|
|
||
|
# Access to runtime files for user
|
||
|
allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
|
||
|
allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
|
||
|
allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;
|
||
|
|
||
|
# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
|
||
|
r_dir_file($1_vmware_t, vmware_sys_conf_t)
|
||
|
|
||
|
# Allow $1_vmware_t to read/write files in the tmp dir
|
||
|
tmp_domain($1_vmware)
|
||
|
allow $1_vmware_t $1_vmware_tmp_t:file execute;
|
||
|
|
||
|
# Allow read access to several paths
|
||
|
r_dir_file($1_vmware_t, etc_t)
|
||
|
allow $1_vmware_t etc_runtime_t:file r_file_perms;
|
||
|
allow $1_vmware_t device_t:dir r_dir_perms;
|
||
|
allow $1_vmware_t var_t:dir r_dir_perms;
|
||
|
allow $1_vmware_t tmpfs_t:file rw_file_perms;
|
||
|
|
||
|
# Allow vmware to write to ~/.vmware
|
||
|
rw_dir_create_file($1_vmware_t, $1_vmware_file_t)
|
||
|
|
||
|
#
|
||
|
# This is bad; VMWare needs execute permission to the .cfg file for the
|
||
|
# configuration to run.
|
||
|
#
|
||
|
allow $1_vmware_t $1_vmware_conf_t:file execute;
|
||
|
|
||
|
# Access X11 config files
|
||
|
allow $1_vmware_t lib_t:file r_file_perms;
|
||
|
|
||
|
# Access components of VMWare in /usr/lib/vmware/bin by default
|
||
|
allow $1_vmware_t bin_t:dir r_dir_perms;
|
||
|
|
||
|
# Allow access to lp port (Need to create an lp device domain )
|
||
|
allow $1_vmware_t device_t:chr_file r_file_perms;
|
||
|
|
||
|
# Allow access to /dev/mem
|
||
|
allow $1_vmware_t memory_device_t:chr_file { read write };
|
||
|
|
||
|
# Allow access to mouse
|
||
|
allow $1_vmware_t mouse_device_t:chr_file r_file_perms;
|
||
|
|
||
|
# Allow access the sound device
|
||
|
allow $1_vmware_t sound_device_t:chr_file { ioctl write };
|
||
|
|
||
|
# Allow removable media and devices
|
||
|
allow $1_vmware_t removable_device_t:blk_file r_file_perms;
|
||
|
allow $1_vmware_t device_t:lnk_file read;
|
||
|
|
||
|
# Allow access to the real time clock device
|
||
|
allow $1_vmware_t clock_device_t:chr_file read;
|
||
|
|
||
|
# Allow to attach to Xserver, and Xserver to attach back
|
||
|
ifdef(`gnome-pty-helper.te', `
|
||
|
allow $1_vmware_t $1_gph_t:fd use;
|
||
|
')
|
||
|
ifdef(`startx.te', `
|
||
|
allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
|
||
|
allow $1_vmware_t $1_xserver_tmp_t:dir search;
|
||
|
allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
|
||
|
allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
|
||
|
allow $1_xserver_t $1_vmware_t:fd use;
|
||
|
')
|
||
|
|
||
|
# Allow filesystem read access
|
||
|
allow $1_vmware_t fs_t:filesystem getattr;
|
||
|
|
||
|
')
|
||
|
|