[selinux-policy: 1393/3172] fixes for testing with unconfined vms
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:05:50 UTC 2010
commit 5b7b2b024af060b10d94ba8839ea92ac9db4c507
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Apr 26 19:03:41 2006 +0000
fixes for testing with unconfined vms
refpolicy/policy/modules/apps/vmware.te | 22 ++++++++++++++++++--
refpolicy/policy/modules/kernel/corenetwork.if.in | 3 +-
2 files changed, 21 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/policy/modules/apps/vmware.te b/refpolicy/policy/modules/apps/vmware.te
index ea3d6c7..fd47f51 100644
--- a/refpolicy/policy/modules/apps/vmware.te
+++ b/refpolicy/policy/modules/apps/vmware.te
@@ -27,21 +27,37 @@ files_pid_file(vmware_var_run_t)
# VMWare host local policy
#
+allow vmware_host_t self:capability { setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+allow vmware_host_t self:rawip_socket create_socket_perms;
-allow vmware_host_t vmware_var_run_t:file create_file_perms;
+# cjp: the ro and rw files should be split up
+allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms;
+allow vmware_host_t vmware_sys_conf_t:file manage_file_perms;
+
+allow vmware_host_t vmware_var_run_t:file manage_file_perms;
+allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms;
allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(vmware_host_t,vmware_var_run_t,file)
+files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(vmware_host_t)
kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
+corenet_non_ipsec_sendrecv(vmware_host_t)
+corenet_raw_sendrecv_generic_if(vmware_host_t)
+corenet_raw_sendrecv_all_nodes(vmware_host_t)
+corenet_raw_bind_all_nodes(vmware_host_t)
+
dev_read_sysfs(vmware_host_t)
+dev_rw_vmware(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
+files_read_etc_files(vmware_host_t)
+
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
@@ -74,7 +90,7 @@ optional_policy(`
optional_policy(`
udev_read_db(vmware_host_t)
')
-
+netutils_domtrans_ping(vmware_host_t)
ifdef(`TODO',`
# VMWare need access to pcmcia devices for network
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 461f485..1dd66cf 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -573,7 +573,8 @@ interface(`corenet_udp_bind_all_nodes',`
## The type of the process performing this action.
## </summary>
## </param>
-# rawip_socket node_bind does not make much sense.
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
interface(`corenet_raw_bind_all_nodes',`
gen_require(`
attribute node_type;
More information about the scm-commits
mailing list