[selinux-policy: 2777/3172] VMWare patch from Dan Walsh.

Thu Oct 7 23:07:08 UTC 2010

commit 072857c42569eca6be5d5f59ec8cfb0692028739
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jul 8 13:43:50 2010 -0400

    VMWare patch from Dan Walsh.

 policy/modules/apps/vmware.fc |    4 ++--
 policy/modules/apps/vmware.if |   18 ++++++++++++++++++
 policy/modules/apps/vmware.te |   15 ++++++++++++++-
 3 files changed, 34 insertions(+), 3 deletions(-)
---

diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index a2d4609..5872ea2 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -20,7 +20,7 @@ HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:vmware_file_t,s0)
 /usr/bin/vmnet-sniffer		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-network		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -55,7 +55,7 @@ ifdef(`distro_gentoo',`
 /opt/vmware/(workstation|player)/bin/vmnet-netifup --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmnet-sniffer --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmware-nmbd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/(workstation|player)/bin/vmware-ping --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-ping --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmware-smbd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index 80afe1f..853f575 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -32,6 +32,24 @@ interface(`vmware_role',`
 
 ########################################
 ## <summary>
+##	Execute vmware host executables
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_exec_host',`
+	gen_require(`
+		type vmware_host_exec_t;
+	')
+
+	can_exec($1, vmware_host_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read VMWare system configuration files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index b540555..1f803bb 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,4 +1,4 @@
-policy_module(vmware, 2.2.0)
+policy_module(vmware, 2.2.1)
 
 ########################################
 #
@@ -31,6 +31,10 @@ init_daemon_domain(vmware_host_t, vmware_host_exec_t)
 type vmware_host_pid_t alias vmware_var_run_t;
 files_pid_file(vmware_host_pid_t)
 
+type vmware_host_tmp_t;
+files_tmp_file(vmware_host_tmp_t)
+ubac_constrained(vmware_host_tmp_t)
+
 type vmware_log_t;
 typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
 typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
@@ -76,8 +80,16 @@ allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
 allow vmware_host_t self:rawip_socket create_socket_perms;
 allow vmware_host_t self:tcp_socket create_socket_perms;
 
+can_exec(vmware_host_t, vmware_host_exec_t)
+
 # cjp: the ro and rw files should be split up
 manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
 
 manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
 manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
@@ -88,6 +100,7 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
 
 kernel_read_kernel_sysctls(vmware_host_t)
 kernel_read_system_state(vmware_host_t)
+kernel_read_network_state(vmware_host_t)
 
 corenet_all_recvfrom_unlabeled(vmware_host_t)
 corenet_all_recvfrom_netlabel(vmware_host_t)
