VMWare patch from Dan Walsh.

policy/modules/apps/vmware.fc

@@ -20,7 +20,7 @@ HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:vmware_file_t,s0)
 /usr/bin/vmnet-sniffer		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-network		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -55,7 +55,7 @@ ifdef(`distro_gentoo',`
 /opt/vmware/(workstation|player)/bin/vmnet-netifup --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmnet-sniffer --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmware-nmbd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/(workstation|player)/bin/vmware-ping --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-ping --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmware-smbd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)

policy/modules/apps/vmware.if

@@ -30,6 +30,24 @@ interface(`vmware_role',`
 	allow $2 vmware_t:process signal;
 ')
 
+########################################
+## <summary>
+##	Execute vmware host executables
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_exec_host',`
+	gen_require(`
+		type vmware_host_exec_t;
+	')
+
+	can_exec($1, vmware_host_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Read VMWare system configuration files.

policy/modules/apps/vmware.te

@@ -1,4 +1,4 @@
-policy_module(vmware, 2.2.0)
+policy_module(vmware, 2.2.1)
 
 ########################################
 #
@@ -31,6 +31,10 @@ init_daemon_domain(vmware_host_t, vmware_host_exec_t)
 type vmware_host_pid_t alias vmware_var_run_t;
 files_pid_file(vmware_host_pid_t)
 
+type vmware_host_tmp_t;
+files_tmp_file(vmware_host_tmp_t)
+ubac_constrained(vmware_host_tmp_t)
+
 type vmware_log_t;
 typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
 typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
@@ -76,8 +80,16 @@ allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
 allow vmware_host_t self:rawip_socket create_socket_perms;
 allow vmware_host_t self:tcp_socket create_socket_perms;
 
+can_exec(vmware_host_t, vmware_host_exec_t)
+
 # cjp: the ro and rw files should be split up
 manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
 
 manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
 manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
@@ -88,6 +100,7 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
 
 kernel_read_kernel_sysctls(vmware_host_t)
 kernel_read_system_state(vmware_host_t)
+kernel_read_network_state(vmware_host_t)
 
 corenet_all_recvfrom_unlabeled(vmware_host_t)
 corenet_all_recvfrom_netlabel(vmware_host_t)