Containing vmware player 2.0.0 with SELINUX

Daniel J Walsh dwalsh at redhat.com
Thu Jul 12 13:00:56 UTC 2007 

Louis Lam wrote:
> Hi all,
>
> At this point i'm still trying to use SELINUX to "contain" vmware player, making it run in
> targeted mode.
>
> I'm still rather new to this but through the help of Ken, i've been able to manipulate modules and
> get it to "affect" the vmware player but at this point my vmware player is still "broken". 
>
> Would anyone be able to share their configurations (.te,.fc,.if) file if you've managed to get it
> to work with vmware player or vmware-workstation 6 ? CUrrently i'm working with Fedora 7 but
> intend to port it back to RHEL 5.
>
> I've downloaded the latest reference policy from oss and examined the vmware relevant files. From
> examining the vmware.fc  and "/etc/selinux/targeted/modules/active/file_context", seems like the
> vmware.fc file could have been written for an older/different version of vmware where the vmnet
> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer 2/workstation 6. Which
> version was it written for?
>
>   
There is vmware policy that we are starting to use in Rawhide (fc8)
> I went on to modify the vmware.fc file and managed to compile and load the vmware.pp module. But
> currently this affected the vmware services at startup, e.g. vmnet-dhcpd. For vmware, when
> something fails to start, it would ask me to rum vmware-config.pl again when i restart it. Doing
> this would recreate the /dev/vmnet* files over again but it will not have the right context,
> defaulting to "device_t" instead of "vmware_device_t" that i have modified. The line in my
> vmware.fc looks like this:
>
> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
>
> I was thinking that if the script has created a new /dev/vmnet file it would automatically use the
> vmware_device_t context but it didn't. Did i miss out anything?
>   
The problem here is the script is running as initrc_t which has no rules 
when creating devices in directories labeled device_t (/dev)  So it uses 
the default and labels the devices the same as the directory.  Usually 
when we have this situation, we just run restorecon /dev/XYZ after the 
creation,
for example

mknod /dev/XYZ
chmod 666 /dev/XYZ
restorecon /dev/XYZ
> What is the two "--" on the line mean? are they significant?
>   
The -- indicates that this matches only files.

-d directories
-s sock_file
-l link file
-c char_file
...

Second character matches the first character of the ls -l line

ls -l /dev/ttyS0
crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0

If you have no option specified it would match any file type.

/dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)


Would match only "Regular files" with this labels.  So you would be 
better off with -c (or -b if they are block devices).
> Sorry about the long post, any help or advice? Thanks.
>
> Louis 
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com 
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list