[selinux-policy: 1393/3172] fixes for testing with unconfined vms

Thu Oct 7 21:05:50 UTC 2010

commit 5b7b2b024af060b10d94ba8839ea92ac9db4c507
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Apr 26 19:03:41 2006 +0000

    fixes for testing with unconfined vms

 refpolicy/policy/modules/apps/vmware.te           |   22 ++++++++++++++++++--
 refpolicy/policy/modules/kernel/corenetwork.if.in |    3 +-
 2 files changed, 21 insertions(+), 4 deletions(-)
---

diff --git a/refpolicy/policy/modules/apps/vmware.te b/refpolicy/policy/modules/apps/vmware.te
index ea3d6c7..fd47f51 100644
--- a/refpolicy/policy/modules/apps/vmware.te
+++ b/refpolicy/policy/modules/apps/vmware.te
@@ -27,21 +27,37 @@ files_pid_file(vmware_var_run_t)
 # VMWare host local policy
 #
 
+allow vmware_host_t self:capability { setuid net_raw };
 dontaudit vmware_host_t self:capability sys_tty_config;
 allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+allow vmware_host_t self:rawip_socket create_socket_perms;
 
-allow vmware_host_t vmware_var_run_t:file create_file_perms;
+# cjp: the ro and rw files should be split up
+allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms;
+allow vmware_host_t vmware_sys_conf_t:file manage_file_perms;
+
+allow vmware_host_t vmware_var_run_t:file manage_file_perms;
+allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms;
 allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(vmware_host_t,vmware_var_run_t,file)
+files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
 
 kernel_read_kernel_sysctls(vmware_host_t)
 kernel_list_proc(vmware_host_t)
 kernel_read_proc_symlinks(vmware_host_t)
 
+corenet_non_ipsec_sendrecv(vmware_host_t)
+corenet_raw_sendrecv_generic_if(vmware_host_t)
+corenet_raw_sendrecv_all_nodes(vmware_host_t)
+corenet_raw_bind_all_nodes(vmware_host_t)
+
 dev_read_sysfs(vmware_host_t)
+dev_rw_vmware(vmware_host_t)
 
 domain_use_interactive_fds(vmware_host_t)
 
+files_read_etc_files(vmware_host_t)
+
 fs_getattr_all_fs(vmware_host_t)
 fs_search_auto_mountpoints(vmware_host_t)
 
@@ -74,7 +90,7 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(vmware_host_t)
 ')
-
+netutils_domtrans_ping(vmware_host_t)
 
 ifdef(`TODO',`
 # VMWare need access to pcmcia devices for network
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 461f485..1dd66cf 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -573,7 +573,8 @@ interface(`corenet_udp_bind_all_nodes',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
-# rawip_socket node_bind does not make much sense. 
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
 interface(`corenet_raw_bind_all_nodes',`
 	gen_require(`
 		attribute node_type;
