fixes for testing with unconfined vms
This commit is contained in:
Chris PeBenito
parent
b35d3f78ab
commit
5b7b2b024a
@ -27,21 +27,37 @@ files_pid_file(vmware_var_run_t)
|
|||||||
# VMWare host local policy
|
# VMWare host local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
allow vmware_host_t self:capability { setuid net_raw };
|
||||||
dontaudit vmware_host_t self:capability sys_tty_config;
|
dontaudit vmware_host_t self:capability sys_tty_config;
|
||||||
allow vmware_host_t self:process signal_perms;
|
allow vmware_host_t self:process signal_perms;
|
||||||
|
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
allow vmware_host_t self:rawip_socket create_socket_perms;
|
||||||
|
|
||||||
allow vmware_host_t vmware_var_run_t:file create_file_perms;
|
# cjp: the ro and rw files should be split up
|
||||||
|
allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms;
|
||||||
|
allow vmware_host_t vmware_sys_conf_t:file manage_file_perms;
|
||||||
|
|
||||||
|
allow vmware_host_t vmware_var_run_t:file manage_file_perms;
|
||||||
|
allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms;
|
||||||
allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
|
allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
|
||||||
files_pid_filetrans(vmware_host_t,vmware_var_run_t,file)
|
files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(vmware_host_t)
|
kernel_read_kernel_sysctls(vmware_host_t)
|
||||||
kernel_list_proc(vmware_host_t)
|
kernel_list_proc(vmware_host_t)
|
||||||
kernel_read_proc_symlinks(vmware_host_t)
|
kernel_read_proc_symlinks(vmware_host_t)
|
||||||
|
|
||||||
|
corenet_non_ipsec_sendrecv(vmware_host_t)
|
||||||
|
corenet_raw_sendrecv_generic_if(vmware_host_t)
|
||||||
|
corenet_raw_sendrecv_all_nodes(vmware_host_t)
|
||||||
|
corenet_raw_bind_all_nodes(vmware_host_t)
|
||||||
|
|
||||||
dev_read_sysfs(vmware_host_t)
|
dev_read_sysfs(vmware_host_t)
|
||||||
|
dev_rw_vmware(vmware_host_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(vmware_host_t)
|
domain_use_interactive_fds(vmware_host_t)
|
||||||
|
|
||||||
|
files_read_etc_files(vmware_host_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(vmware_host_t)
|
fs_getattr_all_fs(vmware_host_t)
|
||||||
fs_search_auto_mountpoints(vmware_host_t)
|
fs_search_auto_mountpoints(vmware_host_t)
|
||||||
|
|
||||||
@ -74,7 +90,7 @@ optional_policy(`
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(vmware_host_t)
|
udev_read_db(vmware_host_t)
|
||||||
')
|
')
|
||||||
|
netutils_domtrans_ping(vmware_host_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# VMWare need access to pcmcia devices for network
|
# VMWare need access to pcmcia devices for network
|
||||||
|
|||||||
@ -573,7 +573,8 @@ interface(`corenet_udp_bind_all_nodes',`
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
# rawip_socket node_bind does not make much sense.
|
# rawip_socket node_bind does not make much sense.
|
||||||
|
# cjp: vmware hits this too
|
||||||
interface(`corenet_raw_bind_all_nodes',`
|
interface(`corenet_raw_bind_all_nodes',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute node_type;
|
attribute node_type;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user