selinux-policy/strict/macros/program/vmware_macros.te

# Macro for vmware
#
# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), 
# modifications by NAI Labs.
#
# Turned into a macro by Thomas Bleher <ThomasBleher@gmx.de>
#
# vmware_domain(domain_prefix)
#
# Define a derived domain for the vmware program when executed by
# a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/vmware.te. This file also
# implements a separate domain vmware_t.
#
 
define(`vmware_domain', `

# Domain for the user applications to run in.
type $1_vmware_t, domain, privmem;

role $1_r types $1_vmware_t;

# The user file type is for files created when the user is running VMWare
type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;

# The user file type for the VMWare configuration files
type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;

#############################################################
# User rules for running VMWare
#
# Transition to VMWare user domain
domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
can_exec($1_vmware_t, vmware_user_exec_t)
uses_shlib($1_vmware_t)
var_run_domain($1_vmware)

general_domain_access($1_vmware_t);

# Capabilities needed by VMWare for the user execution. This seems a 
# bit too much, so be careful.
allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };

# Access to ttys
allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
allow $1_vmware_t privfd:fd use;

# Access /proc
r_dir_file($1_vmware_t, proc_t)
allow $1_vmware_t proc_net_t:dir search;
allow $1_vmware_t proc_net_t:file { getattr read };

# Access to some files in the user home directory
r_dir_file($1_vmware_t, $1_home_t)

# Access to runtime files for user
allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;

# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
r_dir_file($1_vmware_t, vmware_sys_conf_t)

# Allow $1_vmware_t to read/write files in the tmp dir
tmp_domain($1_vmware)
allow $1_vmware_t $1_vmware_tmp_t:file execute;

# Allow read access to several paths
r_dir_file($1_vmware_t, etc_t)
allow $1_vmware_t etc_runtime_t:file r_file_perms;
allow $1_vmware_t device_t:dir r_dir_perms;
allow $1_vmware_t var_t:dir r_dir_perms;
allow $1_vmware_t tmpfs_t:file rw_file_perms;

# Allow vmware to write to ~/.vmware
rw_dir_create_file($1_vmware_t, $1_vmware_file_t)

#
# This is bad; VMWare needs execute permission to the .cfg file for the
# configuration to run.
#
allow $1_vmware_t $1_vmware_conf_t:file execute;

# Access X11 config files
allow $1_vmware_t lib_t:file r_file_perms;

# Access components of VMWare in /usr/lib/vmware/bin by default
allow $1_vmware_t bin_t:dir r_dir_perms;

# Allow access to lp port (Need to create an lp device domain )
allow $1_vmware_t device_t:chr_file r_file_perms;

# Allow access to /dev/mem
allow $1_vmware_t memory_device_t:chr_file { read write };

# Allow access to mouse
allow $1_vmware_t mouse_device_t:chr_file r_file_perms;

# Allow access the sound device 
allow $1_vmware_t sound_device_t:chr_file { ioctl write };

# Allow removable media and devices
allow $1_vmware_t removable_device_t:blk_file r_file_perms;
allow $1_vmware_t device_t:lnk_file read;

# Allow access to the real time clock device
allow $1_vmware_t clock_device_t:chr_file read;

# Allow to attach to Xserver, and Xserver to attach back
ifdef(`gnome-pty-helper.te', `
allow $1_vmware_t $1_gph_t:fd use;
')
ifdef(`startx.te', `
allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
allow $1_vmware_t $1_xserver_tmp_t:dir search;
allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
allow $1_xserver_t $1_vmware_t:fd use;
')

# Allow filesystem read access
allow $1_vmware_t fs_t:filesystem getattr;

')