[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 31 Oct 2012 18:10:43
Message-Id:	`1351706663.fc0e045f7ea52cdf449ca1fd8218adad5b78d49b.SwifT@gentoo`

1

commit:     fc0e045f7ea52cdf449ca1fd8218adad5b78d49b

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Wed Oct 31 08:57:16 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Oct 31 18:04:23 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fc0e045f

7

8

Changes to the vmware policy module

9

10

Module clean up

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/vmware.fc |   13 --------

16

 policy/modules/contrib/vmware.if |   36 +++++++++++++--------

17

 policy/modules/contrib/vmware.te |   64 ++++++++++++++++++-------------------

18

 3 files changed, 54 insertions(+), 59 deletions(-)

19

20

diff --git a/policy/modules/contrib/vmware.fc b/policy/modules/contrib/vmware.fc

21

index dc41e2d..7273b9c 100644

22

--- a/policy/modules/contrib/vmware.fc

23

+++ b/policy/modules/contrib/vmware.fc

24

@@ -1,18 +1,9 @@

25

-#

26

-# HOME_DIR/

27

-#

28

 HOME_DIR/\.vmware(/.*)?	gen_context(system_u:object_r:vmware_file_t,s0)

29

 HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:vmware_conf_t,s0)

30

 HOME_DIR/vmware(/.*)?	gen_context(system_u:object_r:vmware_file_t,s0)

31

32

-#

33

-# /etc

34

-#

35

 /etc/vmware.*(/.*)?	gen_context(system_u:object_r:vmware_sys_conf_t,s0)

36

37

-#

38

-# /usr

39

-#

40

 /usr/bin/vmnet-bridge	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

41

 /usr/bin/vmnet-dhcpd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

42

 /usr/bin/vmnet-natd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

43

@@ -34,15 +25,12 @@ HOME_DIR/vmware(/.*)?	gen_context(system_u:object_r:vmware_file_t,s0)

44

 /usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)

45

 /usr/lib/vmware/bin/vmware-vmx	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

46

47

-ifdef(`distro_redhat',`

48

 /usr/lib/vmware-tools/sbin32/vmware.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

49

 /usr/lib/vmware-tools/sbin64/vmware.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

50

-')

51

52

 /usr/sbin/vmware-guest.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

53

 /usr/sbin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)

54

55

-ifdef(`distro_gentoo',`

56

 /opt/vmware/(workstation|player)/bin/vmnet-bridge	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

57

 /opt/vmware/(workstation|player)/bin/vmnet-dhcpd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

58

 /opt/vmware/(workstation|player)/bin/vmnet-natd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

59

@@ -55,7 +43,6 @@ ifdef(`distro_gentoo',`

60

 /opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)

61

 /opt/vmware/(workstation|player)/bin/vmware-wizard	--	gen_context(system_u:object_r:vmware_exec_t,s0)

62

 /opt/vmware/(workstation|player)/bin/vmware	--	gen_context(system_u:object_r:vmware_exec_t,s0)

63

-')

64

65

 /var/log/vmware.*	--	gen_context(system_u:object_r:vmware_log_t,s0)

66

 /var/log/vnetlib.*	--	gen_context(system_u:object_r:vmware_log_t,s0)

67

68

diff --git a/policy/modules/contrib/vmware.if b/policy/modules/contrib/vmware.if

69

index 853f575..20a1fb2 100644

70

--- a/policy/modules/contrib/vmware.if

71

+++ b/policy/modules/contrib/vmware.if

72

@@ -1,33 +1,40 @@

73

-## <summary>VMWare Workstation virtual machines</summary>

74

+## <summary>VMWare Workstation virtual machines.</summary>

75

76

 ########################################

77

 ## <summary>

78

-##	Role access for vmware

79

+##	Role access for vmware.

80

 ## </summary>

81

 ## <param name="role">

82

 ##	<summary>

83

-##	Role allowed access

84

+##	Role allowed access.

85

 ##	</summary>

86

 ## </param>

87

 ## <param name="domain">

88

 ##	<summary>

89

-##	User domain for the role

90

+##	User domain for the role.

91

 ##	</summary>

92

 ## </param>

93

#

94

 interface(`vmware_role',`

95

 	gen_require(`

96

-		type vmware_t, vmware_exec_t;

97

+		type vmware_t, vmware_exec_t, vmware_file_t;

98

+		type vmware_conf_t, vmware_tmp_t, vmware_tmpfs_t;

99

')

100

101

 	role $1 types vmware_t;

102

103

-	# Transition from the user domain to the derived domain.

104

 	domtrans_pattern($2, vmware_exec_t, vmware_t)

105

106

-	# allow ps to show vmware and allow the user to kill it 

107

 	ps_process_pattern($2, vmware_t)

108

-	allow $2 vmware_t:process signal;

109

+	allow $2 vmware_t:process { ptrace signal_perms };

110

+

111

+	allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };

112

+	allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };

113

+	allow $2 { vmware_tmp_t vmware_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };

114

+	allow $2 vmware_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

115

+	allow $2 vmware_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };

116

+	userdom_user_home_dir_filetrans($2, vmware_file_t, dir, ".vmware")

117

+	userdom_user_home_dir_filetrans($2, vmware_file_t, dir, "vmware")

118

')

119

120

 ########################################

121

@@ -45,12 +52,13 @@ interface(`vmware_exec_host',`

122

 		type vmware_host_exec_t;

123

')

124

125

+	corecmd_search_bin($1)

126

 	can_exec($1, vmware_host_exec_t)

127

')

128

129

 ########################################

130

 ## <summary>

131

-##	Read VMWare system configuration files.

132

+##	Read vmware system configuration files.

133

 ## </summary>

134

 ## <param name="domain">

135

 ##	<summary>

136

@@ -63,12 +71,13 @@ interface(`vmware_read_system_config',`

137

 		type vmware_sys_conf_t;

138

')

139

140

-	allow $1 vmware_sys_conf_t:file { getattr read };

141

+	files_search_etc($1)

142

+	allow $1 vmware_sys_conf_t:file read_file_perms;

143

')

144

145

 ########################################

146

 ## <summary>

147

-##	Append to VMWare system configuration files.

148

+##	Append vmware system configuration files.

149

 ## </summary>

150

 ## <param name="domain">

151

 ##	<summary>

152

@@ -81,12 +90,13 @@ interface(`vmware_append_system_config',`

153

 		type vmware_sys_conf_t;

154

')

155

156

-	allow $1 vmware_sys_conf_t:file append;

157

+	files_search_etc($1)

158

+	allow $1 vmware_sys_conf_t:file append_file_perms;

159

')

160

161

 ########################################

162

 ## <summary>

163

-##	Append to VMWare log files.

164

+##	Append vmware log files.

165

 ## </summary>

166

 ## <param name="domain">

167

 ##	<summary>

168

169

diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te

170

index 7d334c4..3a56513 100644

171

--- a/policy/modules/contrib/vmware.te

172

+++ b/policy/modules/contrib/vmware.te

173

@@ -1,11 +1,10 @@

174

-policy_module(vmware, 2.6.0)

175

+policy_module(vmware, 2.6.1)

176

177

 ########################################

178

#

179

 # Declarations

180

#

181

182

-# VMWare user program

183

 type vmware_t;

184

 type vmware_exec_t;

185

 typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };

186

@@ -22,7 +21,6 @@ typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vm

187

 typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t };

188

 userdom_user_home_content(vmware_file_t)

189

190

-# VMWare host programs

191

 type vmware_host_t;

192

 type vmware_host_exec_t;

193

 init_daemon_domain(vmware_host_t, vmware_host_exec_t)

194

@@ -45,9 +43,8 @@ typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t };

195

 files_pid_file(vmware_pid_t)

196

 ubac_constrained(vmware_pid_t)

197

198

-# Systemwide configuration files

199

 type vmware_sys_conf_t;

200

-files_type(vmware_sys_conf_t)

201

+files_config_file(vmware_sys_conf_t)

202

203

 type vmware_tmp_t;

204

 typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };

205

@@ -65,20 +62,16 @@ ifdef(`enable_mcs',`

206

207

 ########################################

208

#

209

-# VMWare host local policy

210

+# Host local policy

211

#

212

213

 allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };

214

 dontaudit vmware_host_t self:capability sys_tty_config;

215

 allow vmware_host_t self:process { execstack execmem signal_perms };

216

 allow vmware_host_t self:fifo_file rw_fifo_file_perms;

217

-allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;

218

+allow vmware_host_t self:unix_stream_socket { accept listen };

219

 allow vmware_host_t self:rawip_socket create_socket_perms;

220

-allow vmware_host_t self:tcp_socket create_socket_perms;

221

222

-can_exec(vmware_host_t, vmware_host_exec_t)

223

-

224

-# cjp: the ro and rw files should be split up

225

 manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)

226

 manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)

227

228

@@ -91,8 +84,12 @@ manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)

229

 manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)

230

 files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })

231

232

-manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)

233

-logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })

234

+append_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)

235

+create_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)

236

+setattr_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)

237

+logging_log_filetrans(vmware_host_t, vmware_log_t, file)

238

+

239

+can_exec(vmware_host_t, vmware_host_exec_t)

240

241

 kernel_read_kernel_sysctls(vmware_host_t)

242

 kernel_read_system_state(vmware_host_t)

243

@@ -107,13 +104,9 @@ corenet_tcp_sendrecv_generic_node(vmware_host_t)

244

 corenet_udp_sendrecv_generic_node(vmware_host_t)

245

 corenet_raw_sendrecv_generic_node(vmware_host_t)

246

 corenet_tcp_sendrecv_all_ports(vmware_host_t)

247

-corenet_udp_sendrecv_all_ports(vmware_host_t)

248

-corenet_raw_bind_generic_node(vmware_host_t)

249

-corenet_tcp_bind_generic_node(vmware_host_t)

250

-corenet_udp_bind_generic_node(vmware_host_t)

251

-corenet_tcp_connect_all_ports(vmware_host_t)

252

+

253

 corenet_sendrecv_all_client_packets(vmware_host_t)

254

-corenet_sendrecv_all_server_packets(vmware_host_t)

255

+corenet_tcp_connect_all_ports(vmware_host_t)

256

257

 corecmd_exec_bin(vmware_host_t)

258

 corecmd_exec_shell(vmware_host_t)

259

@@ -184,9 +177,9 @@ optional_policy(`

260

 	xserver_read_xdm_pid(vmware_host_t)

261

')

262

263

-##############################

264

+########################################

265

#

266

-# VMWare guest local policy

267

+# Guest local policy

268

#

269

270

 allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };

271

@@ -202,16 +195,14 @@ allow vmware_t self:sem create_sem_perms;

272

 allow vmware_t self:msgq create_msgq_perms;

273

 allow vmware_t self:msg { send receive };

274

275

-can_exec(vmware_t, vmware_exec_t)

276

-

277

-# User configuration files

278

 allow vmware_t vmware_conf_t:file manage_file_perms;

279

280

-# VMWare disks

281

+manage_dirs_pattern(vmware_t, vmware_file_t, vmware_file_t)

282

 manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)

283

 manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)

284

+userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, ".vmware")

285

+userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, "vmware")

286

287

-allow vmware_t vmware_tmp_t:file execute;

288

 manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)

289

 manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)

290

 manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)

291

@@ -223,7 +214,6 @@ manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)

292

 manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)

293

 fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })

294

295

-# Read clobal configuration files

296

 allow vmware_t vmware_sys_conf_t:dir list_dir_perms;

297

 read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)

298

 read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)

299

@@ -234,11 +224,12 @@ manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)

300

 manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)

301

 files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })

302

303

+can_exec(vmware_t, { vmware_tmp_t vmware_exec_t })

304

+

305

 kernel_read_system_state(vmware_t)

306

 kernel_read_network_state(vmware_t)

307

 kernel_read_kernel_sysctls(vmware_t)

308

309

-# startup scripts

310

 corecmd_exec_bin(vmware_t)

311

 corecmd_exec_shell(vmware_t)

312

313

@@ -264,19 +255,26 @@ fs_search_auto_mountpoints(vmware_t)

314

 storage_raw_read_removable_device(vmware_t)

315

 storage_raw_write_removable_device(vmware_t)

316

317

-# startup scripts run ldd

318

 libs_exec_ld_so(vmware_t)

319

-# Access X11 config files

320

 libs_read_lib_files(vmware_t)

321

322

 miscfiles_read_localization(vmware_t)

323

324

 userdom_use_user_terminals(vmware_t)

325

 userdom_list_user_home_dirs(vmware_t)

326

-# cjp: why?

327

-userdom_read_user_home_content_files(vmware_t)

328

329

 sysnet_dns_name_resolve(vmware_t)

330

-sysnet_read_config(vmware_t)

331

332

 xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)

333

+

334

+tunable_policy(`use_nfs_home_dirs',`

335

+	fs_manage_nfs_dirs(vmware_t)

336

+	fs_manage_nfs_files(vmware_t)

337

+	fs_manage_nfs_symlinks(vmware_t)

338

+')

339

+

340

+tunable_policy(`use_samba_home_dirs',`

341

+	fs_manage_cifs_dirs(vmware_t)

342

+	fs_manage_cifs_files(vmware_t)

343

+	fs_manage_cifs_symlinks(vmware_t)

344

+')

1	commit: fc0e045f7ea52cdf449ca1fd8218adad5b78d49b
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Wed Oct 31 08:57:16 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Oct 31 18:04:23 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fc0e045f
7
8	Changes to the vmware policy module
9
10	Module clean up
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/vmware.fc \| 13 --------
16	policy/modules/contrib/vmware.if \| 36 +++++++++++++--------
17	policy/modules/contrib/vmware.te \| 64 ++++++++++++++++++-------------------
18	3 files changed, 54 insertions(+), 59 deletions(-)
19
20	diff --git a/policy/modules/contrib/vmware.fc b/policy/modules/contrib/vmware.fc
21	index dc41e2d..7273b9c 100644
22	--- a/policy/modules/contrib/vmware.fc
23	+++ b/policy/modules/contrib/vmware.fc
24	@@ -1,18 +1,9 @@
25	-#
26	-# HOME_DIR/
27	-#
28	HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
29	HOME_DIR/\.vmware[^/]/.\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0)
30	HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
31
32	-#
33	-# /etc
34	-#
35	/etc/vmware.(/.)? gen_context(system_u:object_r:vmware_sys_conf_t,s0)
36
37	-#
38	-# /usr
39	-#
40	/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
41	/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
42	/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
43	@@ -34,15 +25,12 @@ HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
44	/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
45	/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
46
47	-ifdef(`distro_redhat',`
48	/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
49	/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
50	-')
51
52	/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
53	/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
54
55	-ifdef(`distro_gentoo',`
56	/opt/vmware/(workstation\|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
57	/opt/vmware/(workstation\|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
58	/opt/vmware/(workstation\|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
59	@@ -55,7 +43,6 @@ ifdef(`distro_gentoo',`
60	/opt/vmware/(workstation\|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
61	/opt/vmware/(workstation\|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
62	/opt/vmware/(workstation\|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
63	-')
64
65	/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
66	/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
67
68	diff --git a/policy/modules/contrib/vmware.if b/policy/modules/contrib/vmware.if
69	index 853f575..20a1fb2 100644
70	--- a/policy/modules/contrib/vmware.if
71	+++ b/policy/modules/contrib/vmware.if
72	@@ -1,33 +1,40 @@
73	-## <summary>VMWare Workstation virtual machines</summary>
74	+## <summary>VMWare Workstation virtual machines.</summary>
75
76	########################################
77	## <summary>
78	-## Role access for vmware
79	+## Role access for vmware.
80	## </summary>
81	## <param name="role">
82	## <summary>
83	-## Role allowed access
84	+## Role allowed access.
85	## </summary>
86	## </param>
87	## <param name="domain">
88	## <summary>
89	-## User domain for the role
90	+## User domain for the role.
91	## </summary>
92	## </param>
93	#
94	interface(`vmware_role',`
95	gen_require(`
96	- type vmware_t, vmware_exec_t;
97	+ type vmware_t, vmware_exec_t, vmware_file_t;
98	+ type vmware_conf_t, vmware_tmp_t, vmware_tmpfs_t;
99	')
100
101	role $1 types vmware_t;
102
103	- # Transition from the user domain to the derived domain.
104	domtrans_pattern($2, vmware_exec_t, vmware_t)
105
106	- # allow ps to show vmware and allow the user to kill it
107	ps_process_pattern($2, vmware_t)
108	- allow $2 vmware_t:process signal;
109	+ allow $2 vmware_t:process { ptrace signal_perms };
110	+
111	+ allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
112	+ allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
113	+ allow $2 { vmware_tmp_t vmware_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
114	+ allow $2 vmware_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
115	+ allow $2 vmware_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
116	+ userdom_user_home_dir_filetrans($2, vmware_file_t, dir, ".vmware")
117	+ userdom_user_home_dir_filetrans($2, vmware_file_t, dir, "vmware")
118	')
119
120	########################################
121	@@ -45,12 +52,13 @@ interface(`vmware_exec_host',`
122	type vmware_host_exec_t;
123	')
124
125	+ corecmd_search_bin($1)
126	can_exec($1, vmware_host_exec_t)
127	')
128
129	########################################
130	## <summary>
131	-## Read VMWare system configuration files.
132	+## Read vmware system configuration files.
133	## </summary>
134	## <param name="domain">
135	## <summary>
136	@@ -63,12 +71,13 @@ interface(`vmware_read_system_config',`
137	type vmware_sys_conf_t;
138	')
139
140	- allow $1 vmware_sys_conf_t:file { getattr read };
141	+ files_search_etc($1)
142	+ allow $1 vmware_sys_conf_t:file read_file_perms;
143	')
144
145	########################################
146	## <summary>
147	-## Append to VMWare system configuration files.
148	+## Append vmware system configuration files.
149	## </summary>
150	## <param name="domain">
151	## <summary>
152	@@ -81,12 +90,13 @@ interface(`vmware_append_system_config',`
153	type vmware_sys_conf_t;
154	')
155
156	- allow $1 vmware_sys_conf_t:file append;
157	+ files_search_etc($1)
158	+ allow $1 vmware_sys_conf_t:file append_file_perms;
159	')
160
161	########################################
162	## <summary>
163	-## Append to VMWare log files.
164	+## Append vmware log files.
165	## </summary>
166	## <param name="domain">
167	## <summary>
168
169	diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
170	index 7d334c4..3a56513 100644
171	--- a/policy/modules/contrib/vmware.te
172	+++ b/policy/modules/contrib/vmware.te
173	@@ -1,11 +1,10 @@
174	-policy_module(vmware, 2.6.0)
175	+policy_module(vmware, 2.6.1)
176
177	########################################
178	#
179	# Declarations
180	#
181
182	-# VMWare user program
183	type vmware_t;
184	type vmware_exec_t;
185	typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
186	@@ -22,7 +21,6 @@ typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vm
187	typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t };
188	userdom_user_home_content(vmware_file_t)
189
190	-# VMWare host programs
191	type vmware_host_t;
192	type vmware_host_exec_t;
193	init_daemon_domain(vmware_host_t, vmware_host_exec_t)
194	@@ -45,9 +43,8 @@ typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t };
195	files_pid_file(vmware_pid_t)
196	ubac_constrained(vmware_pid_t)
197
198	-# Systemwide configuration files
199	type vmware_sys_conf_t;
200	-files_type(vmware_sys_conf_t)
201	+files_config_file(vmware_sys_conf_t)
202
203	type vmware_tmp_t;
204	typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
205	@@ -65,20 +62,16 @@ ifdef(`enable_mcs',`
206
207	########################################
208	#
209	-# VMWare host local policy
210	+# Host local policy
211	#
212
213	allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
214	dontaudit vmware_host_t self:capability sys_tty_config;
215	allow vmware_host_t self:process { execstack execmem signal_perms };
216	allow vmware_host_t self:fifo_file rw_fifo_file_perms;
217	-allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
218	+allow vmware_host_t self:unix_stream_socket { accept listen };
219	allow vmware_host_t self:rawip_socket create_socket_perms;
220	-allow vmware_host_t self:tcp_socket create_socket_perms;
221
222	-can_exec(vmware_host_t, vmware_host_exec_t)
223	-
224	-# cjp: the ro and rw files should be split up
225	manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
226	manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
227
228	@@ -91,8 +84,12 @@ manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
229	manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
230	files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
231
232	-manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
233	-logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
234	+append_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
235	+create_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
236	+setattr_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
237	+logging_log_filetrans(vmware_host_t, vmware_log_t, file)
238	+
239	+can_exec(vmware_host_t, vmware_host_exec_t)
240
241	kernel_read_kernel_sysctls(vmware_host_t)
242	kernel_read_system_state(vmware_host_t)
243	@@ -107,13 +104,9 @@ corenet_tcp_sendrecv_generic_node(vmware_host_t)
244	corenet_udp_sendrecv_generic_node(vmware_host_t)
245	corenet_raw_sendrecv_generic_node(vmware_host_t)
246	corenet_tcp_sendrecv_all_ports(vmware_host_t)
247	-corenet_udp_sendrecv_all_ports(vmware_host_t)
248	-corenet_raw_bind_generic_node(vmware_host_t)
249	-corenet_tcp_bind_generic_node(vmware_host_t)
250	-corenet_udp_bind_generic_node(vmware_host_t)
251	-corenet_tcp_connect_all_ports(vmware_host_t)
252	+
253	corenet_sendrecv_all_client_packets(vmware_host_t)
254	-corenet_sendrecv_all_server_packets(vmware_host_t)
255	+corenet_tcp_connect_all_ports(vmware_host_t)
256
257	corecmd_exec_bin(vmware_host_t)
258	corecmd_exec_shell(vmware_host_t)
259	@@ -184,9 +177,9 @@ optional_policy(`
260	xserver_read_xdm_pid(vmware_host_t)
261	')
262
263	-##############################
264	+########################################
265	#
266	-# VMWare guest local policy
267	+# Guest local policy
268	#
269
270	allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
271	@@ -202,16 +195,14 @@ allow vmware_t self:sem create_sem_perms;
272	allow vmware_t self:msgq create_msgq_perms;
273	allow vmware_t self:msg { send receive };
274
275	-can_exec(vmware_t, vmware_exec_t)
276	-
277	-# User configuration files
278	allow vmware_t vmware_conf_t:file manage_file_perms;
279
280	-# VMWare disks
281	+manage_dirs_pattern(vmware_t, vmware_file_t, vmware_file_t)
282	manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
283	manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
284	+userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, ".vmware")
285	+userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, "vmware")
286
287	-allow vmware_t vmware_tmp_t:file execute;
288	manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
289	manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
290	manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
291	@@ -223,7 +214,6 @@ manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
292	manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
293	fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
294
295	-# Read clobal configuration files
296	allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
297	read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
298	read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
299	@@ -234,11 +224,12 @@ manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
300	manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
301	files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
302
303	+can_exec(vmware_t, { vmware_tmp_t vmware_exec_t })
304	+
305	kernel_read_system_state(vmware_t)
306	kernel_read_network_state(vmware_t)
307	kernel_read_kernel_sysctls(vmware_t)
308
309	-# startup scripts
310	corecmd_exec_bin(vmware_t)
311	corecmd_exec_shell(vmware_t)
312
313	@@ -264,19 +255,26 @@ fs_search_auto_mountpoints(vmware_t)
314	storage_raw_read_removable_device(vmware_t)
315	storage_raw_write_removable_device(vmware_t)
316
317	-# startup scripts run ldd
318	libs_exec_ld_so(vmware_t)
319	-# Access X11 config files
320	libs_read_lib_files(vmware_t)
321
322	miscfiles_read_localization(vmware_t)
323
324	userdom_use_user_terminals(vmware_t)
325	userdom_list_user_home_dirs(vmware_t)
326	-# cjp: why?
327	-userdom_read_user_home_content_files(vmware_t)
328
329	sysnet_dns_name_resolve(vmware_t)
330	-sysnet_read_config(vmware_t)
331
332	xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
333	+
334	+tunable_policy(`use_nfs_home_dirs',`
335	+ fs_manage_nfs_dirs(vmware_t)
336	+ fs_manage_nfs_files(vmware_t)
337	+ fs_manage_nfs_symlinks(vmware_t)
338	+')
339	+
340	+tunable_policy(`use_samba_home_dirs',`
341	+ fs_manage_cifs_dirs(vmware_t)
342	+ fs_manage_cifs_files(vmware_t)
343	+ fs_manage_cifs_symlinks(vmware_t)
344	+')

Gentoo Archives: gentoo-commits