selinux-policy/targeted/macros/program/vmware_macros.te

129 lines
3.9 KiB
Plaintext
Raw Normal View History

2005-10-21 18:05:21 +00:00
# Macro for vmware
#
# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
# modifications by NAI Labs.
#
# Turned into a macro by Thomas Bleher <ThomasBleher@gmx.de>
#
# vmware_domain(domain_prefix)
#
# Define a derived domain for the vmware program when executed by
# a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/vmware.te. This file also
# implements a separate domain vmware_t.
#
define(`vmware_domain', `
# Domain for the user applications to run in.
type $1_vmware_t, domain, privmem;
role $1_r types $1_vmware_t;
# The user file type is for files created when the user is running VMWare
type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
# The user file type for the VMWare configuration files
type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
#############################################################
# User rules for running VMWare
#
# Transition to VMWare user domain
domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
can_exec($1_vmware_t, vmware_user_exec_t)
uses_shlib($1_vmware_t)
var_run_domain($1_vmware)
general_domain_access($1_vmware_t);
# Capabilities needed by VMWare for the user execution. This seems a
# bit too much, so be careful.
allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
# Access to ttys
allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
allow $1_vmware_t privfd:fd use;
# Access /proc
r_dir_file($1_vmware_t, proc_t)
allow $1_vmware_t proc_net_t:dir search;
allow $1_vmware_t proc_net_t:file { getattr read };
# Access to some files in the user home directory
r_dir_file($1_vmware_t, $1_home_t)
# Access to runtime files for user
allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;
# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
r_dir_file($1_vmware_t, vmware_sys_conf_t)
# Allow $1_vmware_t to read/write files in the tmp dir
tmp_domain($1_vmware)
allow $1_vmware_t $1_vmware_tmp_t:file execute;
# Allow read access to several paths
r_dir_file($1_vmware_t, etc_t)
allow $1_vmware_t etc_runtime_t:file r_file_perms;
allow $1_vmware_t device_t:dir r_dir_perms;
allow $1_vmware_t var_t:dir r_dir_perms;
allow $1_vmware_t tmpfs_t:file rw_file_perms;
# Allow vmware to write to ~/.vmware
rw_dir_create_file($1_vmware_t, $1_vmware_file_t)
#
# This is bad; VMWare needs execute permission to the .cfg file for the
# configuration to run.
#
allow $1_vmware_t $1_vmware_conf_t:file execute;
# Access X11 config files
allow $1_vmware_t lib_t:file r_file_perms;
# Access components of VMWare in /usr/lib/vmware/bin by default
allow $1_vmware_t bin_t:dir r_dir_perms;
# Allow access to lp port (Need to create an lp device domain )
allow $1_vmware_t device_t:chr_file r_file_perms;
# Allow access to /dev/mem
allow $1_vmware_t memory_device_t:chr_file { read write };
# Allow access to mouse
allow $1_vmware_t mouse_device_t:chr_file r_file_perms;
# Allow access the sound device
allow $1_vmware_t sound_device_t:chr_file { ioctl write };
# Allow removable media and devices
allow $1_vmware_t removable_device_t:blk_file r_file_perms;
allow $1_vmware_t device_t:lnk_file read;
# Allow access to the real time clock device
allow $1_vmware_t clock_device_t:chr_file read;
# Allow to attach to Xserver, and Xserver to attach back
ifdef(`gnome-pty-helper.te', `
allow $1_vmware_t $1_gph_t:fd use;
')
ifdef(`startx.te', `
allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
allow $1_vmware_t $1_xserver_tmp_t:dir search;
allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
allow $1_xserver_t $1_vmware_t:fd use;
')
# Allow filesystem read access
allow $1_vmware_t fs_t:filesystem getattr;
')