Containing vmware player 2.0.0 with SELINUX
lshoujun at yahoo.com
Thu Jul 12 08:21:35 UTC 2007
At this point i'm still trying to use SELINUX to "contain" vmware player, making it run in
I'm still rather new to this but through the help of Ken, i've been able to manipulate modules and
get it to "affect" the vmware player but at this point my vmware player is still "broken".
Would anyone be able to share their configurations (.te,.fc,.if) file if you've managed to get it
to work with vmware player or vmware-workstation 6 ? CUrrently i'm working with Fedora 7 but
intend to port it back to RHEL 5.
I've downloaded the latest reference policy from oss and examined the vmware relevant files. From
examining the vmware.fc and "/etc/selinux/targeted/modules/active/file_context", seems like the
vmware.fc file could have been written for an older/different version of vmware where the vmnet
devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer 2/workstation 6. Which
version was it written for?
I went on to modify the vmware.fc file and managed to compile and load the vmware.pp module. But
currently this affected the vmware services at startup, e.g. vmnet-dhcpd. For vmware, when
something fails to start, it would ask me to rum vmware-config.pl again when i restart it. Doing
this would recreate the /dev/vmnet* files over again but it will not have the right context,
defaulting to "device_t" instead of "vmware_device_t" that i have modified. The line in my
vmware.fc looks like this:
/dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
I was thinking that if the script has created a new /dev/vmnet file it would automatically use the
vmware_device_t context but it didn't. Did i miss out anything?
What is the two "--" on the line mean? are they significant?
Sorry about the long post, any help or advice? Thanks.
Send instant messages to your online friends http://uk.messenger.yahoo.com
More information about the selinux