Containing vmware player 2.0.0 with SELINUX

Ken YANG spng.yang at gmail.com
Fri Jul 13 06:56:37 UTC 2007 

Daniel J Walsh wrote:
> Louis Lam wrote:
>> Hi all,
>>
>> At this point i'm still trying to use SELINUX to "contain" vmware
>> player, making it run in
>> targeted mode.
>>
>> I'm still rather new to this but through the help of Ken, i've been
>> able to manipulate modules and
>> get it to "affect" the vmware player but at this point my vmware
>> player is still "broken".
>> Would anyone be able to share their configurations (.te,.fc,.if) file
>> if you've managed to get it
>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
>> working with Fedora 7 but
>> intend to port it back to RHEL 5.
>>
>> I've downloaded the latest reference policy from oss and examined the
>> vmware relevant files. From
>> examining the vmware.fc  and
>> "/etc/selinux/targeted/modules/active/file_context", seems like the
>> vmware.fc file could have been written for an older/different version
>> of vmware where the vmnet
>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
>> 2/workstation 6. Which
>> version was it written for?
>>
>>   
> There is vmware policy that we are starting to use in Rawhide (fc8)
>> I went on to modify the vmware.fc file and managed to compile and load
>> the vmware.pp module. But
>> currently this affected the vmware services at startup, e.g.
>> vmnet-dhcpd. For vmware, when
>> something fails to start, it would ask me to rum vmware-config.pl
>> again when i restart it. Doing
>> this would recreate the /dev/vmnet* files over again but it will not
>> have the right context,
>> defaulting to "device_t" instead of "vmware_device_t" that i have
>> modified. The line in my
>> vmware.fc looks like this:
>>
>> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
>> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
>> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>
>> I was thinking that if the script has created a new /dev/vmnet file it
>> would automatically use the
>> vmware_device_t context but it didn't. Did i miss out anything?
>>   
> The problem here is the script is running as initrc_t which has no rules
> when creating devices in directories labeled device_t (/dev)  So it uses
> the default and labels the devices the same as the directory.  Usually
> when we have this situation, we just run restorecon /dev/XYZ after the
> creation,
> for example
> 
> mknod /dev/XYZ
> chmod 666 /dev/XYZ
> restorecon /dev/XYZ

as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
who create such devices:

http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2


i notice "/dev" is tmpfs:

-(:14:45:$)-> cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / ext3 rw,data=ordered 0 0
/dev /dev tmpfs rw 0 0
......

i want to add rules in policy:

type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;

additionally i don't know what type of the net-services.sh, now it is:

... root root user_u:object_r:lib_t   /usr/lib/vmware/net-services.sh


is this method appropriate?




>> What is the two "--" on the line mean? are they significant?
>>   
> The -- indicates that this matches only files.
> 
> -d directories
> -s sock_file
> -l link file
> -c char_file
> ...
> 
> Second character matches the first character of the ls -l line
> 
> ls -l /dev/ttyS0
> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
> 
> If you have no option specified it would match any file type.
> 
> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
> 
> 
> Would match only "Regular files" with this labels.  So you would be
> better off with -c (or -b if they are block devices).
>> Sorry about the long post, any help or advice? Thanks.
>>
>> Louis
>> Send instant messages to your online friends
>> http://uk.messenger.yahoo.com
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>   
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list