[selinux-policy: 1395/3172] fixes for confined vmware sessions
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:06:00 UTC 2010
commit 03d797cc97e4a7330a71194372d56090aa4ef0d5
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Apr 26 20:30:08 2006 +0000
fixes for confined vmware sessions
refpolicy/policy/modules/apps/vmware.if | 33 ++++++++++++++++++-----
refpolicy/policy/modules/kernel/corecommands.fc | 4 +++
refpolicy/policy/modules/kernel/devices.if | 19 +++++++++++++
3 files changed, 49 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/policy/modules/apps/vmware.if b/refpolicy/policy/modules/apps/vmware.if
index 618b8c5..d7dc420 100644
--- a/refpolicy/policy/modules/apps/vmware.if
+++ b/refpolicy/policy/modules/apps/vmware.if
@@ -6,7 +6,7 @@
## </summary>
## <desc>
## <p>
-## This template creates a derived domains which are used
+## This template creates a derived domain which is used
## for vmware sessions.
## </p>
## <p>
@@ -69,8 +69,10 @@ template(`vmware_per_userdomain_template',`
allow $1_vmware_t $2:fifo_file rw_file_perms;
allow $1_vmware_t $2:process sigchld;
- allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
+ allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+ dontaudit $1_vmware_t self:capability sys_tty_config;
allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_vmware_t self:process { execmem execstack };
allow $1_vmware_t self:fd use;
allow $1_vmware_t self:fifo_file rw_file_perms;
allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
@@ -93,7 +95,8 @@ template(`vmware_per_userdomain_template',`
allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
- allow $1_vmware_t $1_vmware_tmp_t:file manage_file_perms;
+ allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute };
+ allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms;
files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
@@ -109,41 +112,57 @@ template(`vmware_per_userdomain_template',`
allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
- allow $1_vmware_t $1_vmware_var_run_t:dir rw_dir_perms;
- files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,file)
+ allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms;
+ allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms;
+ allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms;
+ files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file })
kernel_read_system_state($1_vmware_t)
kernel_read_network_state($1_vmware_t)
+ kernel_read_kernel_sysctls($1_vmware_t)
- corecmd_list_bin($1_vmware_t)
+ # startup scripts
+ corecmd_exec_bin($1_vmware_t)
+ corecmd_exec_shell($1_vmware_t)
dev_read_raw_memory($1_vmware_t)
dev_write_raw_memory($1_vmware_t)
dev_read_mouse($1_vmware_t)
dev_write_sound($1_vmware_t)
dev_read_realtime_clock($1_vmware_t)
- dev_rw_vmware($1_vmware_t)
+ dev_rwx_vmware($1_vmware_t)
+ dev_rw_usbfs($1_vmware_t)
+ dev_search_sysfs($1_vmware_t)
domain_use_interactive_fds($1_vmware_t)
files_read_etc_files($1_vmware_t)
files_read_etc_runtime_files($1_vmware_t)
+ files_read_usr_files($1_vmware_t)
fs_getattr_xattr_fs($1_vmware_t)
fs_search_auto_mountpoints($1_vmware_t)
storage_raw_read_removable_device($1_vmware_t)
+ storage_raw_write_removable_device($1_vmware_t)
libs_use_ld_so($1_vmware_t)
libs_use_shared_libs($1_vmware_t)
+ # startup scripts run ldd
+ libs_exec_ld_so($1_vmware_t)
# Access X11 config files
libs_read_lib_files($1_vmware_t)
+ miscfiles_read_localization($1_vmware_t)
+
userdom_use_user_terminals($1,$1_vmware_t)
userdom_use_unpriv_users_fds($1_vmware_t)
# cjp: why?
userdom_read_user_home_content_files($1,$1_vmware_t)
+ sysnet_dns_name_resolve($1_vmware_t)
+ sysnet_read_config($1_vmware_t)
+
xserver_user_client_template($1,$1_vmware_t,$1_vmware_tmpfs_t)
')
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index 3871bbb..44e046a 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -101,6 +101,10 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+ifdef(`distro_gentoo',`
+/opt/vmware/workstation/lib/lib/wrapper-gtk24.sh -- gen_context(system_u:object_r:bin_t,s0)
+')
+
#
# /usr
#
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 7d95451..a32e553 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2706,6 +2706,25 @@ interface(`dev_rw_vmware',`
########################################
## <summary>
+## Read, write, and mmap VMWare devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rwx_vmware',`
+ gen_require(`
+ type device_t, vmware_device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ allow $1 vmware_device_t:chr_file { rw_file_perms execute };
+')
+
+########################################
+## <summary>
## Read and write Xen devices.
## </summary>
## <param name="domain">
More information about the scm-commits
mailing list