[selinux-policy: 1395/3172] fixes for confined vmware sessions

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:06:00 UTC 2010 

commit 03d797cc97e4a7330a71194372d56090aa4ef0d5
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Apr 26 20:30:08 2006 +0000

    fixes for confined vmware sessions

 refpolicy/policy/modules/apps/vmware.if         |   33 ++++++++++++++++++-----
 refpolicy/policy/modules/kernel/corecommands.fc |    4 +++
 refpolicy/policy/modules/kernel/devices.if      |   19 +++++++++++++
 3 files changed, 49 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/policy/modules/apps/vmware.if b/refpolicy/policy/modules/apps/vmware.if
index 618b8c5..d7dc420 100644
--- a/refpolicy/policy/modules/apps/vmware.if
+++ b/refpolicy/policy/modules/apps/vmware.if
@@ -6,7 +6,7 @@
 ## </summary>
 ## <desc>
 ##	<p>
-##	This template creates a derived domains which are used
+##	This template creates a derived domain which is used
 ##	for vmware sessions.
 ##	</p>
 ##	<p>
@@ -69,8 +69,10 @@ template(`vmware_per_userdomain_template',`
 	allow $1_vmware_t $2:fifo_file rw_file_perms;
 	allow $1_vmware_t $2:process sigchld;
 
-	allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
+	allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+	dontaudit $1_vmware_t self:capability sys_tty_config;
 	allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_vmware_t self:process { execmem execstack };
 	allow $1_vmware_t self:fd use;
 	allow $1_vmware_t self:fifo_file rw_file_perms;
 	allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
@@ -93,7 +95,8 @@ template(`vmware_per_userdomain_template',`
 	allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
 
 	allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
-	allow $1_vmware_t $1_vmware_tmp_t:file manage_file_perms;
+	allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute };
+	allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms;
 	files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
 
 	allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
@@ -109,41 +112,57 @@ template(`vmware_per_userdomain_template',`
 	allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
 
 	allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
-	allow $1_vmware_t $1_vmware_var_run_t:dir rw_dir_perms;
-	files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,file)
+	allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms;
+	allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms;
+	allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms;
+	files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file })
 
 	kernel_read_system_state($1_vmware_t)
 	kernel_read_network_state($1_vmware_t)
+	kernel_read_kernel_sysctls($1_vmware_t)
 
-	corecmd_list_bin($1_vmware_t)
+	# startup scripts
+	corecmd_exec_bin($1_vmware_t)
+	corecmd_exec_shell($1_vmware_t)
 
 	dev_read_raw_memory($1_vmware_t)
 	dev_write_raw_memory($1_vmware_t)
 	dev_read_mouse($1_vmware_t)
 	dev_write_sound($1_vmware_t)
 	dev_read_realtime_clock($1_vmware_t)
-	dev_rw_vmware($1_vmware_t)
+	dev_rwx_vmware($1_vmware_t)
+	dev_rw_usbfs($1_vmware_t)
+	dev_search_sysfs($1_vmware_t)
 
 	domain_use_interactive_fds($1_vmware_t)
 
 	files_read_etc_files($1_vmware_t)
 	files_read_etc_runtime_files($1_vmware_t)
+	files_read_usr_files($1_vmware_t)
 
 	fs_getattr_xattr_fs($1_vmware_t)
 	fs_search_auto_mountpoints($1_vmware_t)
 
 	storage_raw_read_removable_device($1_vmware_t)
+	storage_raw_write_removable_device($1_vmware_t)
 
 	libs_use_ld_so($1_vmware_t)
 	libs_use_shared_libs($1_vmware_t)
+	# startup scripts run ldd
+	libs_exec_ld_so($1_vmware_t)
 	# Access X11 config files
 	libs_read_lib_files($1_vmware_t)
 
+	miscfiles_read_localization($1_vmware_t)
+
 	userdom_use_user_terminals($1,$1_vmware_t)
 	userdom_use_unpriv_users_fds($1_vmware_t)
 	# cjp: why?
 	userdom_read_user_home_content_files($1,$1_vmware_t)
 
+	sysnet_dns_name_resolve($1_vmware_t)
+	sysnet_read_config($1_vmware_t)
+
 	xserver_user_client_template($1,$1_vmware_t,$1_vmware_tmpfs_t)
 ')
 
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index 3871bbb..44e046a 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -101,6 +101,10 @@ ifdef(`distro_gentoo',`
 
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
 
+ifdef(`distro_gentoo',`
+/opt/vmware/workstation/lib/lib/wrapper-gtk24.sh -- gen_context(system_u:object_r:bin_t,s0)
+')
+
 #
 # /usr
 #
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 7d95451..a32e553 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2706,6 +2706,25 @@ interface(`dev_rw_vmware',`
 
 ########################################
 ## <summary>
+##	Read, write, and mmap VMWare devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rwx_vmware',`
+	gen_require(`
+		type device_t, vmware_device_t;
+	')
+
+	allow $1 device_t:dir list_dir_perms;
+	allow $1 vmware_device_t:chr_file { rw_file_perms execute };
+')
+
+########################################
+## <summary>
 ##	Read and write Xen devices.
 ## </summary>
 ## <param name="domain">

More information about the scm-commits mailing list