Fedora diffs for vmware policy

Fedora diffs for vmware policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple file context changes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhQGLwACgkQrlYvE4MpobP/xwCg0i2aq0oXn42XynW+q3eX0eKl
iNYAnjJHi2LM+jGN1re/um7AGpISUKV6
=586L
-----END PGP SIGNATURE-----

[-- Attachment #2: apps_vmware.patch --]
[-- Type: text/plain, Size: 7295 bytes --]

Subject: [PATCH] refpolicy: apps_vmware changes
--text follows this line--
--- nsaserefpolicy/policy/modules/apps/vmware.fc	2008-06-11 08:15:43.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/apps/vmware.fc	2008-06-11 13:24:07.000000000 -0400
@@ -1,9 +1,9 @@
 #
 # HOME_DIR/
 #
-HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
-HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:vmware_home_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:vmware_home_t,s0)
+HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:vmware_home_t,s0)
 
 #
 # /etc
@@ -21,19 +21,25 @@
 /usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-guest.*		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-vmx		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-wizard		--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware			--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/sbin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 
 /usr/lib/vmware/config		--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
 /usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-vmx	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 
 /usr/lib64/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
 /usr/lib64/vmware/bin/vmware-mks --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib64/vmware/bin/vmware-ui --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-vmx	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 
 ifdef(`distro_gentoo',`
 /opt/vmware/(workstation|player)/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -49,3 +55,9 @@
 /opt/vmware/(workstation|player)/bin/vmware-wizard --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmware --	gen_context(system_u:object_r:vmware_exec_t,s0)
 ')
+
+/var/log/vmware.* 	--	gen_context(system_u:object_r:vmware_log_t,s0)
+/var/run/vmnat.* 	-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmware.* 		gen_context(system_u:object_r:vmware_var_run_t,s0)
+/usr/lib/vmware-tools/sbin32/vmware.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/lib/vmware-tools/sbin64/vmware.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
--- nsaserefpolicy/policy/modules/apps/vmware.if	2008-05-29 15:57:39.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/apps/vmware.if	2008-06-11 13:23:37.000000000 -0400
@@ -47,11 +47,8 @@
 	domain_entry_file($1_vmware_t,vmware_exec_t)
 	role $3 types $1_vmware_t;
 
-	type $1_vmware_conf_t;
-	userdom_user_home_content($1,$1_vmware_conf_t)
-
-	type $1_vmware_file_t;
-	userdom_user_home_content($1,$1_vmware_file_t)
+	typealias vmware_home_t alias $1_vmware_file_t;
+	typealias vmware_home_t alias $1_vmware_conf_t;
 
 	type $1_vmware_tmp_t;
 	files_tmp_file($1_vmware_tmp_t)
@@ -84,12 +81,9 @@
 
 	can_exec($1_vmware_t, vmware_exec_t)
 
-	# User configuration files
-	allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
-
 	# VMWare disks
-	manage_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t)
-	manage_lnk_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t)
+	manage_files_pattern($1_vmware_t,vmware_home_t,vmware_home_t)
+	manage_lnk_files_pattern($1_vmware_t,vmware_home_t,vmware_home_t)
 
 	allow $1_vmware_t $1_vmware_tmp_t:file execute;
 	manage_dirs_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
@@ -202,3 +196,22 @@
 
 	allow $1 vmware_sys_conf_t:file append;
 ')
+
+########################################
+## <summary>
+##	Append to VMWare log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_append_log',`
+	gen_require(`
+		type vmware_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1,vmware_log_t,vmware_log_t)
+')
--- nsaserefpolicy/policy/modules/apps/vmware.te	2008-06-11 08:15:43.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/apps/vmware.te	2008-06-11 13:25:18.000000000 -0400
@@ -10,6 +10,9 @@
 type vmware_exec_t;
 corecmd_executable_file(vmware_exec_t)
 
+type vmware_home_t;
+userdom_user_home_content(user,vmware_home_t)
+
 # VMWare host programs
 type vmware_host_t;
 type vmware_host_exec_t;
@@ -22,17 +25,21 @@
 type vmware_var_run_t;
 files_pid_file(vmware_var_run_t)
 
+type vmware_log_t;
+logging_log_file(vmware_log_t)
+
 ########################################
 #
 # VMWare host local policy
 #
 
-allow vmware_host_t self:capability { setuid net_raw };
+allow vmware_host_t self:capability { setgid setuid net_raw };
 dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
 allow vmware_host_t self:fifo_file rw_fifo_file_perms;
 allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
 allow vmware_host_t self:rawip_socket create_socket_perms;
+allow vmware_host_t self:tcp_socket create_socket_perms;
 
 # cjp: the ro and rw files should be split up
 manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t)
@@ -41,6 +48,11 @@
 manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
 files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
 
+manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t)	
+logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir })
+
+files_search_home(vmware_host_t)
+
 kernel_read_kernel_sysctls(vmware_host_t)
 kernel_list_proc(vmware_host_t)
 kernel_read_proc_symlinks(vmware_host_t)
@@ -63,6 +75,7 @@
 corenet_sendrecv_all_server_packets(vmware_host_t)
 
 dev_read_sysfs(vmware_host_t)
+dev_read_urand(vmware_host_t)
 dev_rw_vmware(vmware_host_t)
 
 domain_use_interactive_fds(vmware_host_t)
@@ -100,14 +113,12 @@
 ')
 netutils_domtrans_ping(vmware_host_t)
 
-ifdef(`TODO',`
-# VMWare need access to pcmcia devices for network
 optional_policy(`
-allow kernel_t cardmgr_var_lib_t:dir { getattr search };
-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+	unconfined_domain(vmware_host_t)
 ')
-# Vmware create network devices
-allow kernel_t self:capability net_admin;
-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow kernel_t self:socket create;
+
+optional_policy(`
+	xserver_xdm_rw_shm(vmware_host_t)
 ')
+
+

[-- Attachment #3: apps_vmware.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]