# Macro for vmware # # Based on work contributed by Mark Westerman (mark.westerman@westcam.com), # modifications by NAI Labs. # # Turned into a macro by Thomas Bleher # # vmware_domain(domain_prefix) # # Define a derived domain for the vmware program when executed by # a user domain. # # The type declaration for the executable type for this program is # provided separately in domains/program/vmware.te. This file also # implements a separate domain vmware_t. # define(`vmware_domain', ` # Domain for the user applications to run in. type $1_vmware_t, domain, privmem; role $1_r types $1_vmware_t; # The user file type is for files created when the user is running VMWare type $1_vmware_file_t, $1_file_type, file_type, sysadmfile; # The user file type for the VMWare configuration files type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile; # for compatibility with older policy versions typealias $1_vmware_t alias vmware_$1_t; typealias $1_vmware_file_t alias vmware_$1_file_t; typealias $1_vmware_conf_t alias vmware_$1_conf_t; ############################################################# # User rules for running VMWare # # Transition to VMWare user domain domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t) can_exec($1_vmware_t, vmware_user_exec_t) uses_shlib($1_vmware_t) var_run_domain($1_vmware) general_domain_access($1_vmware_t); # Capabilities needed by VMWare for the user execution. This seems a # bit too much, so be careful. allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio }; # Access to ttys allow $1_vmware_t vmware_device_t:chr_file rw_file_perms; allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms; allow $1_vmware_t privfd:fd use; # Access /proc r_dir_file($1_vmware_t, proc_t) allow $1_vmware_t proc_net_t:dir search; allow $1_vmware_t proc_net_t:file { getattr read }; # Access to some files in the user home directory r_dir_file($1_vmware_t, $1_home_t) # Access to runtime files for user allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms; allow $1_vmware_t $1_vmware_file_t:file create_file_perms; allow $1_vmware_t $1_vmware_conf_t:file create_file_perms; # Allow read access to /etc/vmware and /usr/lib/vmware configuration files r_dir_file($1_vmware_t, vmware_sys_conf_t) # Allow $1_vmware_t to read/write files in the tmp dir tmp_domain($1_vmware) allow $1_vmware_t $1_vmware_tmp_t:file execute; # Allow read access to several paths r_dir_file($1_vmware_t, etc_t) allow $1_vmware_t etc_runtime_t:file r_file_perms; allow $1_vmware_t device_t:dir r_dir_perms; allow $1_vmware_t var_t:dir r_dir_perms; allow $1_vmware_t tmpfs_t:file rw_file_perms; # Allow vmware to write to ~/.vmware rw_dir_create_file($1_vmware_t, $1_vmware_file_t) # # This is bad; VMWare needs execute permission to the .cfg file for the # configuration to run. # allow $1_vmware_t $1_vmware_conf_t:file execute; # Access X11 config files allow $1_vmware_t lib_t:file r_file_perms; # Access components of VMWare in /usr/lib/vmware/bin by default allow $1_vmware_t bin_t:dir r_dir_perms; # Allow access to lp port (Need to create an lp device domain ) allow $1_vmware_t device_t:chr_file r_file_perms; # Allow access to /dev/mem allow $1_vmware_t memory_device_t:chr_file { read write }; # Allow access to mouse allow $1_vmware_t mouse_device_t:chr_file r_file_perms; # Allow access the sound device allow $1_vmware_t sound_device_t:chr_file { ioctl write }; # Allow removable media and devices allow $1_vmware_t removable_device_t:blk_file r_file_perms; allow $1_vmware_t device_t:lnk_file read; # Allow access to the real time clock device allow $1_vmware_t clock_device_t:chr_file read; # Allow to attach to Xserver, and Xserver to attach back ifdef(`gnome-pty-helper.te', ` allow $1_vmware_t $1_gph_t:fd use; ') ifdef(`startx.te', ` allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write }; allow $1_vmware_t $1_xserver_tmp_t:dir search; allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto; allow $1_xserver_t $1_vmware_t:shm r_shm_perms; allow $1_xserver_t $1_vmware_t:fd use; ') # Allow filesystem read access allow $1_vmware_t fs_t:filesystem getattr; ')