[PATCH] refpolicy: apps_vmware changes

[PATCH] refpolicy: apps_vmware changes

[dwalsh]

Fixes for vmware
--- nsaserefpolicy/policy/modules/apps/vmware.fc	2007-07-03 07:05:43.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/apps/vmware.fc	2007-08-02 11:02:02.000000000 -0400
@@ -23,6 +23,7 @@
 /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-vmx		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-wizard		--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware			--	gen_context(system_u:object_r:vmware_exec_t,s0)
 
--- nsaserefpolicy/policy/modules/apps/vmware.te	2007-07-25 10:37:37.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/apps/vmware.te	2007-08-02 11:02:02.000000000 -0400
@@ -29,7 +29,7 @@
 
 allow vmware_host_t self:capability { setuid net_raw };
 dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
 allow vmware_host_t self:fifo_file rw_fifo_file_perms;
 allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
 allow vmware_host_t self:rawip_socket create_socket_perms;
@@ -56,6 +56,8 @@
 corenet_tcp_sendrecv_all_ports(vmware_host_t)
 corenet_udp_sendrecv_all_ports(vmware_host_t)
 corenet_raw_bind_all_nodes(vmware_host_t)
+corenet_tcp_bind_all_nodes(vmware_host_t)
+corenet_udp_bind_all_nodes(vmware_host_t)
 corenet_tcp_connect_all_ports(vmware_host_t)
 corenet_sendrecv_all_client_packets(vmware_host_t)
 corenet_sendrecv_all_server_packets(vmware_host_t)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: apps_vmware changes

[Christopher J. PeBenito]

On Thu, 2007-08-02 at 15:56 -0400, dwalsh@redhat.com wrote:
> Fixes for vmware
> --- nsaserefpolicy/policy/modules/apps/vmware.fc        2007-07-03 07:05:43.000000000 -0400
> +++ serefpolicy-3.0.5/policy/modules/apps/vmware.fc     2007-08-02 11:02:02.000000000 -0400
> @@ -23,6 +23,7 @@
>  /usr/bin/vmware-smbd           --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
>  /usr/bin/vmware-smbpasswd      --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
>  /usr/bin/vmware-smbpasswd\.bin --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
> +/usr/bin/vmware-vmx            --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
>  /usr/bin/vmware-wizard         --      gen_context(system_u:object_r:vmware_exec_t,s0)
>  /usr/bin/vmware                        --      gen_context(system_u:object_r:vmware_exec_t,s0)
> 
> --- nsaserefpolicy/policy/modules/apps/vmware.te        2007-07-25 10:37:37.000000000 -0400
> +++ serefpolicy-3.0.5/policy/modules/apps/vmware.te     2007-08-02 11:02:02.000000000 -0400
> @@ -29,7 +29,7 @@
> 
>  allow vmware_host_t self:capability { setuid net_raw };
>  dontaudit vmware_host_t self:capability sys_tty_config;
> -allow vmware_host_t self:process signal_perms;
> +allow vmware_host_t self:process { execstack execmem signal_perms };
>  allow vmware_host_t self:fifo_file rw_fifo_file_perms;
>  allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
>  allow vmware_host_t self:rawip_socket create_socket_perms;

Which version of vmware requires this?  Other parts merged.

> @@ -56,6 +56,8 @@
>  corenet_tcp_sendrecv_all_ports(vmware_host_t)
>  corenet_udp_sendrecv_all_ports(vmware_host_t)
>  corenet_raw_bind_all_nodes(vmware_host_t)
> +corenet_tcp_bind_all_nodes(vmware_host_t)
> +corenet_udp_bind_all_nodes(vmware_host_t)
>  corenet_tcp_connect_all_ports(vmware_host_t)
>  corenet_sendrecv_all_client_packets(vmware_host_t)
>  corenet_sendrecv_all_server_packets(vmware_host_t)
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: apps_vmware changes

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Thu, 2007-08-02 at 15:56 -0400, dwalsh@redhat.com wrote:
>> Fixes for vmware
>> --- nsaserefpolicy/policy/modules/apps/vmware.fc        2007-07-03 07:05:43.000000000 -0400
>> +++ serefpolicy-3.0.5/policy/modules/apps/vmware.fc     2007-08-02 11:02:02.000000000 -0400
>> @@ -23,6 +23,7 @@
>>  /usr/bin/vmware-smbd           --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
>>  /usr/bin/vmware-smbpasswd      --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
>>  /usr/bin/vmware-smbpasswd\.bin --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
>> +/usr/bin/vmware-vmx            --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
>>  /usr/bin/vmware-wizard         --      gen_context(system_u:object_r:vmware_exec_t,s0)
>>  /usr/bin/vmware                        --      gen_context(system_u:object_r:vmware_exec_t,s0)
>>
>> --- nsaserefpolicy/policy/modules/apps/vmware.te        2007-07-25 10:37:37.000000000 -0400
>> +++ serefpolicy-3.0.5/policy/modules/apps/vmware.te     2007-08-02 11:02:02.000000000 -0400
>> @@ -29,7 +29,7 @@
>>
>>  allow vmware_host_t self:capability { setuid net_raw };
>>  dontaudit vmware_host_t self:capability sys_tty_config;
>> -allow vmware_host_t self:process signal_perms;
>> +allow vmware_host_t self:process { execstack execmem signal_perms };
>>  allow vmware_host_t self:fifo_file rw_fifo_file_perms;
>>  allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
>>  allow vmware_host_t self:rawip_socket create_socket_perms;
> 
> Which version of vmware requires this?  Other parts merged.
> 
>> @@ -56,6 +56,8 @@
>>  corenet_tcp_sendrecv_all_ports(vmware_host_t)
>>  corenet_udp_sendrecv_all_ports(vmware_host_t)
>>  corenet_raw_bind_all_nodes(vmware_host_t)
>> +corenet_tcp_bind_all_nodes(vmware_host_t)
>> +corenet_udp_bind_all_nodes(vmware_host_t)
>>  corenet_tcp_connect_all_ports(vmware_host_t)
>>  corenet_sendrecv_all_client_packets(vmware_host_t)
>>  corenet_sendrecv_all_server_packets(vmware_host_t)
>>
>>
I think these came from Tom?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGzKxKrlYvE4MpobMRAlW3AJ9PiuuwwMdoD074Sr8iQ5zgqcNUjACcDNmv
Pe0RvYxFAOqr7GVNah0hWPI=
=nEA0
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: apps_vmware changes

[Tom London]

On 8/22/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Christopher J. PeBenito wrote:
> > On Thu, 2007-08-02 at 15:56 -0400, dwalsh@redhat.com wrote:
> >> Fixes for vmware
> >> --- nsaserefpolicy/policy/modules/apps/vmware.fc        2007-07-03 07:05:43.000000000 -0400
> >> +++ serefpolicy-3.0.5/policy/modules/apps/vmware.fc     2007-08-02 11:02:02.000000000 -0400
> >> @@ -23,6 +23,7 @@
> >>  /usr/bin/vmware-smbd           --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
> >>  /usr/bin/vmware-smbpasswd      --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
> >>  /usr/bin/vmware-smbpasswd\.bin --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
> >> +/usr/bin/vmware-vmx            --      gen_context(system_u:object_r:vmware_host_exec_t,s0)
> >>  /usr/bin/vmware-wizard         --      gen_context(system_u:object_r:vmware_exec_t,s0)
> >>  /usr/bin/vmware                        --      gen_context(system_u:object_r:vmware_exec_t,s0)
> >>
> >> --- nsaserefpolicy/policy/modules/apps/vmware.te        2007-07-25 10:37:37.000000000 -0400
> >> +++ serefpolicy-3.0.5/policy/modules/apps/vmware.te     2007-08-02 11:02:02.000000000 -0400
> >> @@ -29,7 +29,7 @@
> >>
> >>  allow vmware_host_t self:capability { setuid net_raw };
> >>  dontaudit vmware_host_t self:capability sys_tty_config;
> >> -allow vmware_host_t self:process signal_perms;
> >> +allow vmware_host_t self:process { execstack execmem signal_perms };
> >>  allow vmware_host_t self:fifo_file rw_fifo_file_perms;
> >>  allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
> >>  allow vmware_host_t self:rawip_socket create_socket_perms;
> >
> > Which version of vmware requires this?  Other parts merged.
> >
> >> @@ -56,6 +56,8 @@
> >>  corenet_tcp_sendrecv_all_ports(vmware_host_t)
> >>  corenet_udp_sendrecv_all_ports(vmware_host_t)
> >>  corenet_raw_bind_all_nodes(vmware_host_t)
> >> +corenet_tcp_bind_all_nodes(vmware_host_t)
> >> +corenet_udp_bind_all_nodes(vmware_host_t)
> >>  corenet_tcp_connect_all_ports(vmware_host_t)
> >>  corenet_sendrecv_all_client_packets(vmware_host_t)
> >>  corenet_sendrecv_all_server_packets(vmware_host_t)
> >>
> >>
> I think these came from Tom?

I'm running VMWare Workstation 6.0.

Need me to recreate?

tom
-- 
Tom London

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: apps_vmware changes

[Christopher J. PeBenito]

On Wed, 2007-08-22 at 17:52 -0700, Tom London wrote:
> On 8/22/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > Christopher J. PeBenito wrote:
> > > On Thu, 2007-08-02 at 15:56 -0400, dwalsh@redhat.com wrote:
> > >> Fixes for vmware

> > >> @@ -29,7 +29,7 @@
> > >>
> > >>  allow vmware_host_t self:capability { setuid net_raw };
> > >>  dontaudit vmware_host_t self:capability sys_tty_config;
> > >> -allow vmware_host_t self:process signal_perms;
> > >> +allow vmware_host_t self:process { execstack execmem signal_perms };
> > >>  allow vmware_host_t self:fifo_file rw_fifo_file_perms;
> > >>  allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
> > >>  allow vmware_host_t self:rawip_socket create_socket_perms;
> > >
> > > Which version of vmware requires this?  Other parts merged.
> > >>
> > I think these came from Tom?
> 
> I'm running VMWare Workstation 6.0.
> 
> Need me to recreate?

Mainly I want to write a comment in the policy since previous
workstation versions didn't need it.  However, if if there has been a
vmware update since you hit this, it would be good to verify the rules
are still required.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: apps_vmware changes

[Tom London]

[-- Attachment #1: Type: text/plain, Size: 1953 bytes --]

On 8/23/07, Christopher J. PeBenito <cpebenito@tresys.com> wrote:
> On Wed, 2007-08-22 at 17:52 -0700, Tom London wrote:
> > On 8/22/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > > Christopher J. PeBenito wrote:
> > > > On Thu, 2007-08-02 at 15:56 -0400, dwalsh@redhat.com wrote:
> > > >> Fixes for vmware
>
> > > >> @@ -29,7 +29,7 @@
> > > >>
> > > >>  allow vmware_host_t self:capability { setuid net_raw };
> > > >>  dontaudit vmware_host_t self:capability sys_tty_config;
> > > >> -allow vmware_host_t self:process signal_perms;
> > > >> +allow vmware_host_t self:process { execstack execmem signal_perms };
> > > >>  allow vmware_host_t self:fifo_file rw_fifo_file_perms;
> > > >>  allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
> > > >>  allow vmware_host_t self:rawip_socket create_socket_perms;
> > > >
> > > > Which version of vmware requires this?  Other parts merged.
> > > >>
> > > I think these came from Tom?
> >
> > I'm running VMWare Workstation 6.0.
> >
> > Need me to recreate?
>
> Mainly I want to write a comment in the policy since previous
> workstation versions didn't need it.  However, if if there has been a
> vmware update since you hit this, it would be good to verify the rules
> are still required.
>
OK, I 'tested' by doing the following:
1. removed vmware.pp via 'semodule -r vmware'
2. go into permissive mode ('setenforce 0')
3. 'configure VMware' via 'vmware-config.pl -d' (this creates the
kernel modules and starts the service similarly to 'service vmware
start')
4. started up a vmware machine via 'vmware', shutdown the vm
5. shut down vmware via 'service vmware stop'

The service start/stop are similar to what happens during boot/shutdown.

I attach the audit.log file with the collected AVCs.  Included are
some AVCs from current Rawhide libtheora.

The only thing I did not collect were AVCs from rebooting when init
would be starting the service.

This good?

tom
-- 
Tom London

[-- Attachment #2: log.txt --]
[-- Type: text/plain, Size: 19863 bytes --]

type=DAEMON_START msg=audit(1187973389.951:3553): auditd start, ver=1.5.6, format=raw, auid=4294967295 pid=2340 res=success, auditd pid=2340
type=CONFIG_CHANGE msg=audit(1187973390.051:5): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1187973390.051:6): audit_enabled=1 old=0 by auid=4294967295 res=1
type=CONFIG_CHANGE msg=audit(1187973390.130:7): audit_backlog_limit=320 old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1187973390.130:8): audit_backlog_limit=320 old=64 by auid=4294967295 res=1
type=LABEL_LEVEL_CHANGE msg=audit(1187973420.085:9): user pid=2561 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP4250 uri=hp:/net/hp_LaserJet_4250?ip=10.10.2.42 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1187973420.233:10): user pid=2561 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1187973420.255:11): user pid=2561 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=hp_laserjet_1300 uri=hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1187973420.285:12): user pid=2561 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=hp_LaserJet_1300_USB_1 uri=usb://HP/LaserJet%201300 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1187973420.336:13): user pid=2561 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=SavinColor uri=ipp://10.10.3.47/ipp/ banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1187973420.383:14): user pid=2561 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Innopath uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1187973420.384:15): user pid=2561 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Local uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=USER_AUTH msg=audit(1187973470.669:16): user pid=3069 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=tbl exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1187973470.686:17): user pid=3069 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=tbl exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1187973470.688:18): user pid=3069 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=tbl exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=LOGIN msg=audit(1187973470.692:19): login pid=3069 uid=0 old auid=4294967295 new auid=500
type=USER_START msg=audit(1187973470.726:20): user pid=3069 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=tbl exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_LOGIN msg=audit(1187973470.728:21): user pid=3069 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/gdm-binary" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=:0 res=success)'
type=AVC msg=audit(1187973489.720:22): avc:  denied  { execmod } for  pid=3315 comm="gnome-power-man" path="/usr/lib/libtheora.so.0.2.0" dev=dm-0 ino=5474587 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1187973489.720:22): arch=40000003 syscall=125 success=no exit=-13 a0=e4c000 a1=48000 a2=5 a3=bfe56d40 items=0 ppid=3301 pid=3315 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-power-man" exe="/usr/bin/gnome-power-manager" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1187973489.724:23): avc:  denied  { execmod } for  pid=3308 comm="gnome-settings-" path="/usr/lib/libtheora.so.0.2.0" dev=dm-0 ino=5474587 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1187973489.724:24): avc:  denied  { execmod } for  pid=3307 comm="rhythmbox" path="/usr/lib/libtheora.so.0.2.0" dev=dm-0 ino=5474587 scontext=system_u:system_r:unconfined_execmem_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1187973489.724:23): arch=40000003 syscall=125 success=no exit=-13 a0=eae000 a1=48000 a2=5 a3=bfed7a80 items=0 ppid=3260 pid=3308 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-settings-" exe="/usr/libexec/gnome-settings-daemon" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=SYSCALL msg=audit(1187973489.724:24): arch=40000003 syscall=125 success=no exit=-13 a0=4b17000 a1=48000 a2=5 a3=bf882260 items=0 ppid=3282 pid=3307 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="rhythmbox" exe="/usr/bin/rhythmbox" subj=system_u:system_r:unconfined_execmem_t:s0 key=(null)
type=AVC msg=audit(1187973503.947:25): avc:  denied  { execmod } for  pid=3414 comm="pidgin" path="/usr/lib/libtheora.so.0.2.0" dev=dm-0 ino=5474587 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1187973503.947:25): arch=40000003 syscall=125 success=no exit=-13 a0=12b7000 a1=48000 a2=5 a3=bfc652d0 items=0 ppid=3279 pid=3414 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pidgin" exe="/usr/bin/pidgin" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1187973518.379:26): avc:  denied  { execmod } for  pid=3532 comm="mixer_applet2" path="/usr/lib/libtheora.so.0.2.0" dev=dm-0 ino=5474587 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1187973518.379:26): arch=40000003 syscall=125 success=no exit=-13 a0=e87000 a1=48000 a2=5 a3=bff7f880 items=0 ppid=3520 pid=3532 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mixer_applet2" exe="/usr/libexec/mixer_applet2" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=USER_AUTH msg=audit(1187973887.857:27): user pid=3790 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:authentication acct=root exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? res=failed)'
type=USER_ACCT msg=audit(1187974861.947:28): user pid=4345 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_AUTH msg=audit(1187974913.152:29): user pid=4376 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_ACCT msg=audit(1187974913.153:30): user pid=4376 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_START msg=audit(1187974913.310:31): user pid=4376 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_ACQ msg=audit(1187974913.311:32): user pid=4376 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:setcred acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=MAC_STATUS msg=audit(1187975470.695:33): enforcing=0 old_enforcing=1 auid=500
type=SYSCALL msg=audit(1187975470.695:33): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bf990be4 a2=1 a3=bf990be4 items=0 ppid=4382 pid=4723 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="setenforce" exe="/usr/sbin/setenforce" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=MAC_POLICY_LOAD msg=audit(1187975493.609:34): policy loaded auid=500
type=SYSCALL msg=audit(1187975493.609:34): arch=40000003 syscall=4 success=yes exit=3711000 a0=4 a1=b7c34000 a2=38a018 a3=bfe22328 items=0 ppid=4727 pid=4738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0 key=(null)
type=MAC_POLICY_LOAD msg=audit(1187975655.739:35): policy loaded auid=500
type=SYSCALL msg=audit(1187975655.739:35): arch=40000003 syscall=4 success=yes exit=3658783 a0=4 a1=b7b6d000 a2=37d41f a3=bfb2bc68 items=0 ppid=4819 pid=4826 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0 key=(null)
type=USER_AUTH msg=audit(1187975675.001:36): user pid=4839 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=USER_ACCT msg=audit(1187975675.002:37): user pid=4839 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=USER_START msg=audit(1187975675.034:38): user pid=4839 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=CRED_ACQ msg=audit(1187975675.034:39): user pid=4839 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:setcred acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=AVC msg=audit(1187975697.126:40): avc:  denied  { execstack } for  pid=4909 comm="ld-linux.so.2" scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1187975697.126:40): avc:  denied  { execmem } for  pid=4909 comm="ld-linux.so.2" scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1187975697.126:40): arch=40000003 syscall=125 success=yes exit=0 a0=bffbb000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=4907 pid=4909 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.6.90.so" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1187975719.732:41): avc:  denied  { unmount } for  pid=4964 comm="umount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1187975719.732:41): arch=40000003 syscall=22 success=yes exit=0 a0=b8bca218 a1=bf80067c a2=b7f96180 a3=b8bca219 items=0 ppid=4960 pid=4964 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1187975732.890:42): avc:  denied  { search } for  pid=2541 comm="vmnet-natd" name="/" dev=dm-0 ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=AVC msg=audit(1187975732.890:42): avc:  denied  { search } for  pid=2541 comm="vmnet-natd" name="var" dev=dm-0 ino=65537 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1187975732.890:42): avc:  denied  { search } for  pid=2541 comm="vmnet-natd" name="run" dev=dm-0 ino=65576 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1187975732.890:42): avc:  denied  { write } for  pid=2541 comm="vmnet-natd" name="run" dev=dm-0 ino=65576 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1187975732.890:42): avc:  denied  { remove_name } for  pid=2541 comm="vmnet-natd" name="vmnet-natd-8.pid" dev=dm-0 ino=65971 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1187975732.890:42): avc:  denied  { unlink } for  pid=2541 comm="vmnet-natd" name="vmnet-natd-8.pid" dev=dm-0 ino=65971 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1187975732.890:42): arch=40000003 syscall=10 per=400000 success=yes exit=0 a0=bf9e3e8d a1=f a2=f a3=3 items=0 ppid=1 pid=2541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vmnet-natd" exe="/usr/bin/vmnet-natd" subj=system_u:object_r:unlabeled_t:s0 key=(null)
type=AVC msg=audit(1187975732.891:43): avc:  denied  { unlink } for  pid=2541 comm="vmnet-natd" name="vmnat.2541" dev=dm-0 ino=65975 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1187975732.891:43): arch=40000003 syscall=10 per=400000 success=yes exit=0 a0=8beb1a0 a1=0 a2=8beb1d0 a3=8beb1d0 items=0 ppid=1 pid=2541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vmnet-natd" exe="/usr/bin/vmnet-natd" subj=system_u:object_r:unlabeled_t:s0 key=(null)
type=AVC msg=audit(1187975732.891:44): avc:  denied  { signal } for  pid=2541 comm="vmnet-natd" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process
type=SYSCALL msg=audit(1187975732.891:44): arch=40000003 syscall=37 per=400000 success=yes exit=0 a0=0 a1=f a2=f a3=3 items=0 ppid=1 pid=2541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vmnet-natd" exe="/usr/bin/vmnet-natd" subj=system_u:object_r:unlabeled_t:s0 key=(null)
type=AVC msg=audit(1187975732.891:45): avc:  denied  { write } for  pid=2541 comm="vmnet-natd" path="/dev/null" dev=tmpfs ino=229 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1187975732.891:45): arch=40000003 syscall=4 per=400000 success=yes exit=236 a0=1 a1=111000 a2=ec a3=ec items=0 ppid=1 pid=2541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vmnet-natd" exe="/usr/bin/vmnet-natd" subj=system_u:object_r:unlabeled_t:s0 key=(null)
type=AVC msg=audit(1187975775.527:46): avc:  denied  { execstack } for  pid=5222 comm="ld-linux.so.2" scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1187975775.527:46): avc:  denied  { execmem } for  pid=5222 comm="ld-linux.so.2" scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1187975775.527:46): arch=40000003 syscall=125 success=yes exit=0 a0=bfcaf000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=5220 pid=5222 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.6.90.so" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1187975826.109:47): avc:  denied  { associate } for  pid=4888 comm="vmware-config.p" name="dhcpd.conf" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1187975826.109:47): arch=40000003 syscall=5 success=yes exit=5 a0=85e12e0 a1=8241 a2=1b6 a3=8241 items=0 ppid=4842 pid=4888 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vmware-config.p" exe="/usr/bin/perl" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1187975864.204:48): avc:  denied  { mount } for  pid=6349 comm="mount" name="/" dev=vmblock ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1187975864.204:48): arch=40000003 syscall=21 success=yes exit=0 a0=b94e6070 a1=b94e6080 a2=b94e60a0 a3=c0ed0000 items=0 ppid=6336 pid=6349 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
type=CRED_DISP msg=audit(1187975918.148:49): user pid=4839 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:setcred acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=USER_END msg=audit(1187975918.153:50): user pid=4839 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:session_close acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=AVC msg=audit(1187975934.439:51): avc:  denied  { execstack } for  pid=6714 comm="ld-linux.so.2" scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1187975934.439:51): avc:  denied  { execmem } for  pid=6714 comm="ld-linux.so.2" scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1187975934.439:51): arch=40000003 syscall=125 success=yes exit=0 a0=bfd60000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=6712 pid=6714 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.6.90.so" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1187975940.450:52): avc:  denied  { associate } for  pid=6737 comm="vmware" name="favorites.vmls.lck" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1187975940.450:52): arch=40000003 syscall=39 per=400000 success=yes exit=0 a0=9261960 a1=1ff a2=0 a3=9261960 items=0 ppid=6705 pid=6737 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="vmware" exe="/usr/lib/vmware/bin/vmware" subj=system_u:system_r:unconfined_t:s0 key=(null)
type=USER_AUTH msg=audit(1187976242.333:53): user pid=6972 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=USER_ACCT msg=audit(1187976242.334:54): user pid=6972 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=USER_START msg=audit(1187976243.394:55): user pid=6972 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=CRED_ACQ msg=audit(1187976243.415:56): user pid=6972 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:setcred acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=AVC msg=audit(1187976272.823:57): avc:  denied  { unmount } for  pid=7081 comm="umount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1187976272.823:57): arch=40000003 syscall=22 success=yes exit=0 a0=b8704218 a1=bf9c044c a2=b7f57180 a3=b8704219 items=0 ppid=7080 pid=7081 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)

Re: [PATCH] refpolicy: apps_vmware changes

[Christopher J. PeBenito]

On Fri, 2007-08-24 at 10:33 -0700, Tom London wrote:
> On 8/23/07, Christopher J. PeBenito <cpebenito@tresys.com> wrote:
> > On Wed, 2007-08-22 at 17:52 -0700, Tom London wrote:
> > > On 8/22/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > > > Christopher J. PeBenito wrote:
> > > > > On Thu, 2007-08-02 at 15:56 -0400, dwalsh@redhat.com wrote:
> > > > >> Fixes for vmware
> >
> > > > >> @@ -29,7 +29,7 @@
> > > > >>
> > > > >>  allow vmware_host_t self:capability { setuid net_raw };
> > > > >>  dontaudit vmware_host_t self:capability sys_tty_config;
> > > > >> -allow vmware_host_t self:process signal_perms;
> > > > >> +allow vmware_host_t self:process { execstack execmem signal_perms };
> > > > >>  allow vmware_host_t self:fifo_file rw_fifo_file_perms;
> > > > >>  allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
> > > > >>  allow vmware_host_t self:rawip_socket create_socket_perms;
> > > > >
> > > > > Which version of vmware requires this?  Other parts merged.
> > > > >>
> > > > I think these came from Tom?
> > >
> > > I'm running VMWare Workstation 6.0.
> > >
> > > Need me to recreate?
> >
> > Mainly I want to write a comment in the policy since previous
> > workstation versions didn't need it.  However, if if there has been a
> > vmware update since you hit this, it would be good to verify the rules
> > are still required.
> >
> OK, I 'tested' by doing the following:
> 1. removed vmware.pp via 'semodule -r vmware'
> 2. go into permissive mode ('setenforce 0')
> 3. 'configure VMware' via 'vmware-config.pl -d' (this creates the
> kernel modules and starts the service similarly to 'service vmware
> start')
> 4. started up a vmware machine via 'vmware', shutdown the vm
> 5. shut down vmware via 'service vmware stop'
> 
> The service start/stop are similar to what happens during boot/shutdown.
> 
> I attach the audit.log file with the collected AVCs.  Included are
> some AVCs from current Rawhide libtheora.
> 
> The only thing I did not collect were AVCs from rebooting when init
> would be starting the service.
> 
> This good?

Well I was just concerned about the excemem and execstack, so yes, this
is more than enough.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.