add vmware, bug 1389
This commit is contained in:
Chris PeBenito
parent
0e1c461e05
commit
a6a638dc18
|
|
@ -0,0 +1,50 @@
|
|||
#
|
||||
# HOME_DIR/
|
||||
#
|
||||
HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
|
||||
HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
|
||||
HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
|
||||
|
||||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/vmnet-bridg -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||
/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||
|
||||
/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
|
||||
/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||
/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||
|
||||
/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
|
||||
/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||
/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||
/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
|
||||
')
|
||||
|
|
@ -0,0 +1,152 @@
|
|||
## <summary>VMWare Workstation virtual machines</summary>
|
||||
|
||||
template(`vmware_per_userdomain_template',`
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type $1_vmware_t;
|
||||
domain_type($1_vmware_t)
|
||||
domain_entry_file($1_vmware_t,vmware_exec_t)
|
||||
role $3 types $1_vmware_t;
|
||||
|
||||
type $1_vmware_conf_t;
|
||||
userdom_user_home_content($1,$1_vmware_conf_t)
|
||||
|
||||
type $1_vmware_file_t;
|
||||
userdom_user_home_content($1,$1_vmware_file_t)
|
||||
|
||||
type $1_vmware_tmp_t;
|
||||
files_tmp_file($1_vmware_tmp_t)
|
||||
|
||||
type $1_vmware_tmpfs_t;
|
||||
files_tmpfs_file($1_vmware_tmpfs_t)
|
||||
|
||||
type $1_vmware_var_run_t;
|
||||
files_pid_file($1_vmware_var_run_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
domain_auto_trans($2, vmware_exec_t, $1_vmware_t)
|
||||
allow $1_vmware_t $2:fd use;
|
||||
allow $1_vmware_t $2:fifo_file rw_file_perms;
|
||||
allow $1_vmware_t $2:process sigchld;
|
||||
|
||||
allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
|
||||
allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow $1_vmware_t self:fd use;
|
||||
allow $1_vmware_t self:fifo_file rw_file_perms;
|
||||
allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
|
||||
allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_vmware_t self:unix_dgram_socket sendto;
|
||||
allow $1_vmware_t self:unix_stream_socket connectto;
|
||||
allow $1_vmware_t self:shm create_shm_perms;
|
||||
allow $1_vmware_t self:sem create_sem_perms;
|
||||
allow $1_vmware_t self:msgq create_msgq_perms;
|
||||
allow $1_vmware_t self:msg { send receive };
|
||||
|
||||
can_exec($1_vmware_t, vmware_exec_t)
|
||||
|
||||
# User configuration files
|
||||
allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
|
||||
|
||||
# VMWare disks
|
||||
allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
|
||||
allow $1_vmware_t $1_vmware_file_t:file manage_file_perms;
|
||||
allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
|
||||
allow $1_vmware_t $1_vmware_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
|
||||
|
||||
allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
|
||||
allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms;
|
||||
allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms;
|
||||
allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms;
|
||||
fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# Read clobal configuration files
|
||||
allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms;
|
||||
allow $1_vmware_t vmware_sys_conf_t:file r_file_perms;
|
||||
allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
|
||||
|
||||
allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
|
||||
allow $1_vmware_t $1_vmware_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,file)
|
||||
|
||||
kernel_read_system_state($1_vmware_t)
|
||||
kernel_read_network_state($1_vmware_t)
|
||||
|
||||
corecmd_list_bin($1_vmware_t)
|
||||
|
||||
dev_read_raw_memory($1_vmware_t)
|
||||
dev_write_raw_memory($1_vmware_t)
|
||||
dev_read_mouse($1_vmware_t)
|
||||
dev_write_sound($1_vmware_t)
|
||||
dev_read_realtime_clock($1_vmware_t)
|
||||
dev_rw_vmware($1_vmware_t)
|
||||
|
||||
domain_use_interactive_fds($1_vmware_t)
|
||||
|
||||
files_read_etc_files($1_vmware_t)
|
||||
files_read_etc_runtime_files($1_vmware_t)
|
||||
|
||||
fs_getattr_xattr_fs($1_vmware_t)
|
||||
fs_search_auto_mountpoints($1_vmware_t)
|
||||
|
||||
storage_raw_read_removable_device($1_vmware_t)
|
||||
|
||||
libs_use_ld_so($1_vmware_t)
|
||||
libs_use_shared_libs($1_vmware_t)
|
||||
# Access X11 config files
|
||||
libs_read_lib_files($1_vmware_t)
|
||||
|
||||
userdom_use_user_terminals($1,$1_vmware_t)
|
||||
userdom_use_unpriv_users_fds($1_vmware_t)
|
||||
# cjp: why?
|
||||
userdom_read_user_home_content_files($1,$1_vmware_t)
|
||||
|
||||
xserver_user_client_template($1,$1_vmware_t,$1_vmware_tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read VMWare system configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`vmware_read_system_config',`
|
||||
gen_require(`
|
||||
type vmware_sys_conf_t;
|
||||
')
|
||||
|
||||
allow $1 vmware_sys_conf_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append to VMWare system configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`vmware_append_system_config',`
|
||||
gen_require(`
|
||||
type vmware_sys_conf_t;
|
||||
')
|
||||
|
||||
allow $1 vmware_sys_conf_t:file append;
|
||||
')
|
||||
|
|
@ -0,0 +1,89 @@
|
|||
|
||||
policy_module(vmware,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# VMWare user program
|
||||
type vmware_exec_t;
|
||||
corecmd_executable_file(vmware_exec_t)
|
||||
|
||||
# VMWare host programs
|
||||
type vmware_host_t;
|
||||
type vmware_host_exec_t;
|
||||
init_daemon_domain(vmware_host_t,vmware_host_exec_t)
|
||||
|
||||
# Systemwide configuration files
|
||||
type vmware_sys_conf_t;
|
||||
files_type(vmware_sys_conf_t)
|
||||
|
||||
type vmware_var_run_t;
|
||||
files_pid_file(vmware_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# VMWare host local policy
|
||||
#
|
||||
|
||||
dontaudit vmware_host_t self:capability sys_tty_config;
|
||||
allow vmware_host_t self:process signal_perms;
|
||||
|
||||
allow vmware_host_t vmware_var_run_t:file create_file_perms;
|
||||
allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(vmware_host_t,vmware_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(vmware_host_t)
|
||||
kernel_list_proc(vmware_host_t)
|
||||
kernel_read_proc_symlinks(vmware_host_t)
|
||||
|
||||
dev_read_sysfs(vmware_host_t)
|
||||
|
||||
domain_use_interactive_fds(vmware_host_t)
|
||||
|
||||
fs_getattr_all_fs(vmware_host_t)
|
||||
fs_search_auto_mountpoints(vmware_host_t)
|
||||
|
||||
term_dontaudit_use_console(vmware_host_t)
|
||||
|
||||
init_use_fds(vmware_host_t)
|
||||
init_use_script_ptys(vmware_host_t)
|
||||
|
||||
libs_use_ld_so(vmware_host_t)
|
||||
libs_use_shared_libs(vmware_host_t)
|
||||
|
||||
logging_send_syslog_msg(vmware_host_t)
|
||||
|
||||
miscfiles_read_localization(vmware_host_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(vmware_host_t)
|
||||
term_dontaudit_use_generic_ptys(vmware_host_t)
|
||||
files_dontaudit_read_root_files(vmware_host_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(vmware_host_t)
|
||||
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(vmware_host_t)
|
||||
')
|
||||
|
||||
|
||||
ifdef(`TODO',`
|
||||
# VMWare need access to pcmcia devices for network
|
||||
optional_policy(`
|
||||
allow kernel_t cardmgr_var_lib_t:dir { getattr search };
|
||||
allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
|
||||
')
|
||||
# Vmware create network devices
|
||||
allow kernel_t self:capability net_admin;
|
||||
allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
allow kernel_t self:socket create;
|
||||
')
|
||||
|
|
@ -21,12 +21,12 @@
|
|||
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
|
||||
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
|
||||
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
|
||||
/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
|
||||
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
|
|
@ -38,18 +38,18 @@
|
|||
/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
|
||||
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
|
||||
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
|
||||
/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
|
||||
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
|
||||
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
|
||||
/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
|
||||
/dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
|
|
@ -59,6 +59,8 @@ ifdef(`distro_suse', `
|
|||
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
')
|
||||
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
|
||||
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
|
||||
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
|
|
@ -84,9 +86,9 @@ ifdef(`distro_suse', `
|
|||
|
||||
/dev/pts(/.*)? <<none>>
|
||||
|
||||
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
|
||||
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
|
|
|
|||
|
|
@ -2685,6 +2685,25 @@ interface(`dev_read_video_dev',`
|
|||
allow $1 v4l_device_t:chr_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write VMWare devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_rw_vmware',`
|
||||
gen_require(`
|
||||
type device_t, vmware_device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir list_dir_perms;
|
||||
allow $1 vmware_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write Xen devices.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(devices,1.1.11)
|
||||
policy_module(devices,1.1.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -169,6 +169,10 @@ dev_node(usb_device_t)
|
|||
type v4l_device_t;
|
||||
dev_node(v4l_device_t)
|
||||
|
||||
# Type for vmware devices.
|
||||
type vmware_device_t;
|
||||
dev_node(vmware_device_t)
|
||||
|
||||
type xen_device_t;
|
||||
dev_node(xen_device_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(init,1.3.9)
|
||||
policy_module(init,1.3.10)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
|
@ -718,6 +718,11 @@ optional_policy(`
|
|||
uml_setattr_util_sockets(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
vmware_read_system_config(initrc_t)
|
||||
vmware_append_system_config(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
miscfiles_manage_fonts(initrc_t)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue