From 5b7b2b024af060b10d94ba8839ea92ac9db4c507 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 26 Apr 2006 19:03:41 +0000 Subject: [PATCH] fixes for testing with unconfined vms --- refpolicy/policy/modules/apps/vmware.te | 22 ++++++++++++++++--- .../policy/modules/kernel/corenetwork.if.in | 3 ++- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/refpolicy/policy/modules/apps/vmware.te b/refpolicy/policy/modules/apps/vmware.te index ea3d6c73..fd47f511 100644 --- a/refpolicy/policy/modules/apps/vmware.te +++ b/refpolicy/policy/modules/apps/vmware.te @@ -27,21 +27,37 @@ files_pid_file(vmware_var_run_t) # VMWare host local policy # +allow vmware_host_t self:capability { setuid net_raw }; dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process signal_perms; +allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; +allow vmware_host_t self:rawip_socket create_socket_perms; -allow vmware_host_t vmware_var_run_t:file create_file_perms; +# cjp: the ro and rw files should be split up +allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms; +allow vmware_host_t vmware_sys_conf_t:file manage_file_perms; + +allow vmware_host_t vmware_var_run_t:file manage_file_perms; +allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms; allow vmware_host_t vmware_var_run_t:dir rw_dir_perms; -files_pid_filetrans(vmware_host_t,vmware_var_run_t,file) +files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file }) kernel_read_kernel_sysctls(vmware_host_t) kernel_list_proc(vmware_host_t) kernel_read_proc_symlinks(vmware_host_t) +corenet_non_ipsec_sendrecv(vmware_host_t) +corenet_raw_sendrecv_generic_if(vmware_host_t) +corenet_raw_sendrecv_all_nodes(vmware_host_t) +corenet_raw_bind_all_nodes(vmware_host_t) + dev_read_sysfs(vmware_host_t) +dev_rw_vmware(vmware_host_t) domain_use_interactive_fds(vmware_host_t) +files_read_etc_files(vmware_host_t) + fs_getattr_all_fs(vmware_host_t) fs_search_auto_mountpoints(vmware_host_t) @@ -74,7 +90,7 @@ optional_policy(` optional_policy(` udev_read_db(vmware_host_t) ') - +netutils_domtrans_ping(vmware_host_t) ifdef(`TODO',` # VMWare need access to pcmcia devices for network diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 461f4859..1dd66cf6 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -573,7 +573,8 @@ interface(`corenet_udp_bind_all_nodes',` ## The type of the process performing this action. ## ## -# rawip_socket node_bind does not make much sense. +# rawip_socket node_bind does not make much sense. +# cjp: vmware hits this too interface(`corenet_raw_bind_all_nodes',` gen_require(` attribute node_type;