1d8333d7a7
When SECMARK or Netlabel packet labeling is used, it's useful to forbid receiving and sending unlabeled packets. If packet labeling is not active, there's no effect. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
268 lines
8.0 KiB
Plaintext
268 lines
8.0 KiB
Plaintext
policy_module(vmware, 2.10.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type vmware_t;
|
|
type vmware_exec_t;
|
|
userdom_user_application_domain(vmware_t, vmware_exec_t)
|
|
|
|
type vmware_conf_t;
|
|
userdom_user_home_content(vmware_conf_t)
|
|
|
|
type vmware_file_t;
|
|
userdom_user_home_content(vmware_file_t)
|
|
|
|
type vmware_host_t;
|
|
type vmware_host_exec_t;
|
|
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
|
|
|
|
type vmware_host_pid_t alias vmware_var_run_t;
|
|
files_pid_file(vmware_host_pid_t)
|
|
|
|
type vmware_host_tmp_t;
|
|
userdom_user_tmp_file(vmware_host_tmp_t)
|
|
|
|
type vmware_log_t;
|
|
logging_log_file(vmware_log_t)
|
|
ubac_constrained(vmware_log_t)
|
|
|
|
type vmware_pid_t;
|
|
files_pid_file(vmware_pid_t)
|
|
ubac_constrained(vmware_pid_t)
|
|
|
|
type vmware_sys_conf_t;
|
|
files_config_file(vmware_sys_conf_t)
|
|
|
|
type vmware_tmp_t;
|
|
userdom_user_tmp_file(vmware_tmp_t)
|
|
|
|
type vmware_tmpfs_t;
|
|
userdom_user_tmpfs_file(vmware_tmpfs_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
|
|
optional_policy(`
|
|
wm_application_domain(vmware_t, vmware_exec_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Host local policy
|
|
#
|
|
|
|
allow vmware_host_t self:capability { dac_override kill net_raw setgid setuid sys_nice sys_ptrace sys_time };
|
|
dontaudit vmware_host_t self:capability sys_tty_config;
|
|
allow vmware_host_t self:process { execstack execmem signal_perms };
|
|
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
|
|
allow vmware_host_t self:unix_stream_socket { accept listen };
|
|
allow vmware_host_t self:rawip_socket create_socket_perms;
|
|
|
|
manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
|
|
manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
|
|
|
|
manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
|
|
manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
|
|
manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
|
|
files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
|
|
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
|
|
files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
|
|
|
|
append_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
|
|
create_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
|
|
setattr_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
|
|
logging_log_filetrans(vmware_host_t, vmware_log_t, file)
|
|
|
|
can_exec(vmware_host_t, vmware_host_exec_t)
|
|
|
|
kernel_read_kernel_sysctls(vmware_host_t)
|
|
kernel_read_system_state(vmware_host_t)
|
|
kernel_read_network_state(vmware_host_t)
|
|
|
|
corenet_all_recvfrom_netlabel(vmware_host_t)
|
|
corenet_tcp_sendrecv_generic_if(vmware_host_t)
|
|
corenet_udp_sendrecv_generic_if(vmware_host_t)
|
|
corenet_raw_sendrecv_generic_if(vmware_host_t)
|
|
corenet_tcp_sendrecv_generic_node(vmware_host_t)
|
|
corenet_udp_sendrecv_generic_node(vmware_host_t)
|
|
corenet_raw_sendrecv_generic_node(vmware_host_t)
|
|
|
|
corenet_sendrecv_all_client_packets(vmware_host_t)
|
|
corenet_tcp_connect_all_ports(vmware_host_t)
|
|
|
|
corecmd_exec_bin(vmware_host_t)
|
|
corecmd_exec_shell(vmware_host_t)
|
|
|
|
dev_getattr_all_blk_files(vmware_host_t)
|
|
dev_read_sysfs(vmware_host_t)
|
|
dev_read_urand(vmware_host_t)
|
|
dev_rw_vmware(vmware_host_t)
|
|
|
|
domain_use_interactive_fds(vmware_host_t)
|
|
domain_dontaudit_read_all_domains_state(vmware_host_t)
|
|
|
|
files_list_tmp(vmware_host_t)
|
|
files_read_etc_files(vmware_host_t)
|
|
files_read_etc_runtime_files(vmware_host_t)
|
|
files_read_usr_files(vmware_host_t)
|
|
|
|
fs_getattr_all_fs(vmware_host_t)
|
|
fs_search_auto_mountpoints(vmware_host_t)
|
|
|
|
storage_getattr_fixed_disk_dev(vmware_host_t)
|
|
|
|
term_dontaudit_use_console(vmware_host_t)
|
|
|
|
init_use_fds(vmware_host_t)
|
|
init_use_script_ptys(vmware_host_t)
|
|
|
|
libs_exec_ld_so(vmware_host_t)
|
|
|
|
logging_send_syslog_msg(vmware_host_t)
|
|
|
|
miscfiles_read_localization(vmware_host_t)
|
|
|
|
sysnet_dns_name_resolve(vmware_host_t)
|
|
sysnet_domtrans_ifconfig(vmware_host_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
|
|
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
|
|
|
|
netutils_domtrans_ping(vmware_host_t)
|
|
|
|
optional_policy(`
|
|
hostname_exec(vmware_host_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
modutils_domtrans(vmware_host_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_read_config(vmware_host_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(vmware_host_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
shutdown_domtrans(vmware_host_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(vmware_host_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_read_tmp_files(vmware_host_t)
|
|
xserver_read_xdm_pid(vmware_host_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Guest local policy
|
|
#
|
|
|
|
allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource };
|
|
dontaudit vmware_t self:capability sys_tty_config;
|
|
allow vmware_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit };
|
|
allow vmware_t self:fd use;
|
|
allow vmware_t self:fifo_file rw_fifo_file_perms;
|
|
allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow vmware_t self:shm create_shm_perms;
|
|
allow vmware_t self:sem create_sem_perms;
|
|
allow vmware_t self:msgq create_msgq_perms;
|
|
allow vmware_t self:msg { send receive };
|
|
|
|
allow vmware_t vmware_conf_t:file manage_file_perms;
|
|
|
|
manage_dirs_pattern(vmware_t, vmware_file_t, vmware_file_t)
|
|
manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
|
|
manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
|
|
userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, ".vmware")
|
|
userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, "vmware")
|
|
|
|
manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
|
|
manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
|
|
manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
|
|
files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
|
|
manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
|
|
manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
|
|
manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
|
|
fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
|
|
read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
|
|
read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
|
|
|
|
manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
|
|
manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
|
|
manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
|
|
manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
|
|
files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
|
|
|
|
can_exec(vmware_t, { vmware_tmp_t vmware_exec_t })
|
|
|
|
kernel_read_system_state(vmware_t)
|
|
kernel_read_network_state(vmware_t)
|
|
kernel_read_kernel_sysctls(vmware_t)
|
|
|
|
corecmd_exec_bin(vmware_t)
|
|
corecmd_exec_shell(vmware_t)
|
|
|
|
dev_read_raw_memory_cond(vmware_t, allow_raw_memory_access)
|
|
dev_write_raw_memory_cond(vmware_t, allow_raw_memory_access)
|
|
dev_read_mouse(vmware_t)
|
|
dev_write_sound(vmware_t)
|
|
dev_read_realtime_clock(vmware_t)
|
|
dev_rwx_vmware(vmware_t)
|
|
dev_rw_usbfs(vmware_t)
|
|
dev_search_sysfs(vmware_t)
|
|
|
|
domain_use_interactive_fds(vmware_t)
|
|
|
|
files_read_etc_files(vmware_t)
|
|
files_read_etc_runtime_files(vmware_t)
|
|
files_read_usr_files(vmware_t)
|
|
files_list_home(vmware_t)
|
|
|
|
fs_getattr_all_fs(vmware_t)
|
|
fs_search_auto_mountpoints(vmware_t)
|
|
|
|
storage_raw_read_removable_device(vmware_t)
|
|
storage_raw_write_removable_device(vmware_t)
|
|
|
|
libs_exec_ld_so(vmware_t)
|
|
libs_read_lib_files(vmware_t)
|
|
|
|
miscfiles_read_localization(vmware_t)
|
|
|
|
userdom_use_user_terminals(vmware_t)
|
|
userdom_list_user_home_dirs(vmware_t)
|
|
|
|
sysnet_dns_name_resolve(vmware_t)
|
|
|
|
xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(vmware_t)
|
|
fs_manage_nfs_files(vmware_t)
|
|
fs_manage_nfs_symlinks(vmware_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(vmware_t)
|
|
fs_manage_cifs_files(vmware_t)
|
|
fs_manage_cifs_symlinks(vmware_t)
|
|
')
|