fixes for testing with unconfined vms

2006-04-26 19:03:41 +00:00 · 2006-04-26 19:03:41 +00:00 · 5b7b2b024a
commit 5b7b2b024a
parent b35d3f78ab
2 changed files with 21 additions and 4 deletions
--- a/refpolicy/policy/modules/apps/vmware.te
+++ b/refpolicy/policy/modules/apps/vmware.te
@ -27,21 +27,37 @@ files_pid_file(vmware_var_run_t)
 # VMWare host local policy
 #

+allow vmware_host_t self:capability { setuid net_raw };
 dontaudit vmware_host_t self:capability sys_tty_config;
 allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+allow vmware_host_t self:rawip_socket create_socket_perms;

-allow vmware_host_t vmware_var_run_t:file create_file_perms;
+# cjp: the ro and rw files should be split up
+allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms;
+allow vmware_host_t vmware_sys_conf_t:file manage_file_perms;
+
+allow vmware_host_t vmware_var_run_t:file manage_file_perms;
+allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms;
 allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(vmware_host_t,vmware_var_run_t,file)
+files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })

 kernel_read_kernel_sysctls(vmware_host_t)
 kernel_list_proc(vmware_host_t)
 kernel_read_proc_symlinks(vmware_host_t)

+corenet_non_ipsec_sendrecv(vmware_host_t)
+corenet_raw_sendrecv_generic_if(vmware_host_t)
+corenet_raw_sendrecv_all_nodes(vmware_host_t)
+corenet_raw_bind_all_nodes(vmware_host_t)
+
 dev_read_sysfs(vmware_host_t)
+dev_rw_vmware(vmware_host_t)

 domain_use_interactive_fds(vmware_host_t)

+files_read_etc_files(vmware_host_t)
+
 fs_getattr_all_fs(vmware_host_t)
 fs_search_auto_mountpoints(vmware_host_t)

@ -74,7 +90,7 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(vmware_host_t)
 ')
-
+netutils_domtrans_ping(vmware_host_t)

 ifdef(`TODO',`
 # VMWare need access to pcmcia devices for network
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@ -573,7 +573,8 @@ interface(`corenet_udp_bind_all_nodes',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
-# rawip_socket node_bind does not make much sense. 
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
 interface(`corenet_raw_bind_all_nodes',`
 	gen_require(`
 		attribute node_type;