53 lines
1.7 KiB
Plaintext
53 lines
1.7 KiB
Plaintext
#DESC VMWare - Virtual machine
|
|
#
|
|
# Domains,types and permissions for running VMWare (the program) and for
|
|
# running a SELinux system in a VMWare session (the VMWare-tools).
|
|
#
|
|
# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
|
|
# modifications by NAI Labs.
|
|
#
|
|
# Domain is for the VMWare admin programs and daemons.
|
|
# X-Debian-Packages:
|
|
#
|
|
# NOTE: The user vmware domain is provided separately in
|
|
# macros/program/vmware_macros.te
|
|
#
|
|
# Next two domains are create by the daemon_domain() macro.
|
|
# The vmware_t domain is for running VMWare daemons
|
|
# The vmware_exec_t type is for the VMWare daemon and admin programs.
|
|
#
|
|
# quick hack making it privhome, should have a domain for each user in a macro
|
|
daemon_domain(vmware, `, privhome')
|
|
|
|
#
|
|
# The vmware_user_exec_t type is for the user programs.
|
|
#
|
|
type vmware_user_exec_t, file_type, sysadmfile, exec_type;
|
|
|
|
# Type for vmware devices.
|
|
type vmware_device_t, device_type, dev_fs;
|
|
|
|
# The sys configuration used for the /etc/vmware configuration files
|
|
type vmware_sys_conf_t, file_type, sysadmfile;
|
|
|
|
#########################################################################
|
|
# Additional rules to start/stop VMWare
|
|
#
|
|
|
|
# Give init access to VMWare configuration files
|
|
allow initrc_t vmware_sys_conf_t:file { ioctl read append };
|
|
|
|
#
|
|
# Rules added to kernel_t domain for VMWare to start up
|
|
#
|
|
# VMWare need access to pcmcia devices for network
|
|
ifdef(`cardmgr.te', `
|
|
allow kernel_t cardmgr_var_lib_t:dir { getattr search };
|
|
allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
|
|
')
|
|
|
|
# Vmware create network devices
|
|
allow kernel_t self:capability net_admin;
|
|
allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
|
allow kernel_t self:socket create;
|