[selinux-policy: 2183/3172] vmware patch from dan.

Thu Oct 7 22:13:56 UTC 2010

commit 91550027de9854e613bfe248f3eac62d0e464bb4
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jul 28 11:37:34 2009 -0400

    vmware patch from dan.

 policy/modules/apps/vmware.fc |    1 +
 policy/modules/apps/vmware.te |   31 +++++++++++++++++++++++++------
 2 files changed, 26 insertions(+), 6 deletions(-)
---

diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index f1fb639..12ae3ab 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -63,6 +63,7 @@ ifdef(`distro_gentoo',`
 ')
 
 /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.*		--	gen_context(system_u:object_r:vmware_log_t,s0)
 
 /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
 /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 02e5782..dd2f739 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
 
-policy_module(vmware, 2.0.1)
+policy_module(vmware, 2.0.2)
 
 ########################################
 #
@@ -60,14 +60,18 @@ typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t }
 files_tmpfs_file(vmware_tmpfs_t)
 ubac_constrained(vmware_tmpfs_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # VMWare host local policy
 #
 
-allow vmware_host_t self:capability { setgid setuid net_raw };
+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
 dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
 allow vmware_host_t self:fifo_file rw_fifo_file_perms;
 allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
 allow vmware_host_t self:rawip_socket create_socket_perms;
@@ -84,8 +88,7 @@ manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
 logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
 
 kernel_read_kernel_sysctls(vmware_host_t)
-kernel_list_proc(vmware_host_t)
-kernel_read_proc_symlinks(vmware_host_t)
+kernel_read_system_state(vmware_host_t)
 
 corenet_all_recvfrom_unlabeled(vmware_host_t)
 corenet_all_recvfrom_netlabel(vmware_host_t)
@@ -104,22 +107,33 @@ corenet_tcp_connect_all_ports(vmware_host_t)
 corenet_sendrecv_all_client_packets(vmware_host_t)
 corenet_sendrecv_all_server_packets(vmware_host_t)
 
+corecmd_exec_bin(vmware_host_t)
+corecmd_exec_shell(vmware_host_t)
+
+dev_getattr_all_blk_files(vmware_host_t)
 dev_read_sysfs(vmware_host_t)
 dev_read_urand(vmware_host_t)
 dev_rw_vmware(vmware_host_t)
 
 domain_use_interactive_fds(vmware_host_t)
+domain_dontaudit_read_all_domains_state(vmware_host_t)
 
+files_list_tmp(vmware_host_t)
 files_read_etc_files(vmware_host_t)
+files_read_etc_runtime_files(vmware_host_t)
 
 fs_getattr_all_fs(vmware_host_t)
 fs_search_auto_mountpoints(vmware_host_t)
 
+storage_getattr_fixed_disk_dev(vmware_host_t)
+
 term_dontaudit_use_console(vmware_host_t)
 
 init_use_fds(vmware_host_t)
 init_use_script_ptys(vmware_host_t)
 
+libs_exec_ld_so(vmware_host_t)
+
 logging_send_syslog_msg(vmware_host_t)
 
 miscfiles_read_localization(vmware_host_t)
@@ -140,6 +154,11 @@ optional_policy(`
 	udev_read_db(vmware_host_t)
 ')
 
+optional_policy(`
+	xserver_read_tmp_files(vmware_host_t)
+	xserver_read_xdm_pid(vmware_host_t)
+')
+
 ifdef(`TODO',`
 # VMWare need access to pcmcia devices for network
 optional_policy(`
@@ -226,7 +245,7 @@ files_read_etc_runtime_files(vmware_t)
 files_read_usr_files(vmware_t)
 files_list_home(vmware_t)
 
-fs_getattr_xattr_fs(vmware_t)
+fs_getattr_all_fs(vmware_t)
 fs_search_auto_mountpoints(vmware_t)
 
 storage_raw_read_removable_device(vmware_t)
