Containing vmware player 2.0.0 with SELINUX

Ken YANG spng.yang at gmail.com
Tue Jul 31 10:00:20 UTC 2007 

Louis Lam wrote:
> Hi, 
> 
> Thanks for the reply.
> 
> My conclusion is that not I'm not sure where to place the domain_auto_trans() statement. If I can't place it in the vmware.if file(since it will not be read during module compilation ) where can I put this statement? All i need to do now is to make the vmware executable run in its own domain e.g. vmware_t. But it seems more difficult than I thought. 

if you want vmware program run in own domain, all necessary rules
should be in te file, e.g.

domain_auto_trans(vmware_t, vmware_host_exec_t, vmware_host_t)
(just a example)

similarly, domain_auto_trans can also used in if file, especially used
in per_role_template. All these are depend on your purpose.

to make vmware run in selinux-policy>3.0, the easiest way is to
follow what tom guid, i.e. modify the net-service.sh to restorce
label after creating device node.

but if you want to make policy contain vmware, you must resolve
the "device node label" problem, IMHO, you should use fs_use_trans
to make label automatically:

http://marc.info/?l=selinux&m=118481693028190&w=2

now, i have not time to do this, so i have not solved the problems
i encountered.


> 
> Can you point me to resources to how to develop modules? Can someone help me with this problem?

"Beginning is the most difficult one, but A Good Beginning is half
the battle" :-)

after you finish the beginning, you will find it's not difficult.

The book <<SELinux by example>> is a good guide for developing modules,
but i think the best guide to develop policy is the policy source.



> 
> Thanks & Regards,
> Louis
> 
> ----- Original Message ----
> From: Ken YANG <spng.yang at gmail.com>
> To: Louis Lam <lshoujun at yahoo.com>
> Cc: Daniel J Walsh <dwalsh at redhat.com>; fedora-selinux-list at redhat.com
> Sent: Monday, July 30, 2007 6:53:17 AM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
> 
> Louis Lam wrote:
>> Hi,
>>
>> I think i'm having a policy compilation problem here
>>
>> I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The syntax error problem went away. 
>>
>> But the problem is that the domain transition didn't take place. My vmplayer is still running in unconfined state.
>>
>> I'm doing compilation of the vmware.pp module using make -f /usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into vmware.if to see if the compilation is effective:
>>
>> e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t)
>>
>> But the make process didn't detect any errors and the compilation still went on. I did a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory (where I do all my compilation), but there are no differences.
>>
>> Does it mean if the vmware.if file is modified it will not affect the make? 
> 
> as i infer (i'm not sure):
> 
> the interface will not be checked, unless someone invoke it, because if
> there are not invokes, the parameter can not be determined.
> 
> when you build vmware module, you will not use your own interface in
> own module, so build process will not detect error.
> 
> 
> 
>> How do you ensure that the changes at vmware.if  effective? (well at least cause some compilation errors?)
>>
>>
>>
>> Thanks,
>> Louis
>>
>>
>>
>>
>>
>> ----- Original Message ----
>> From: Ken YANG <spng.yang at gmail.com>
>> To: Louis Lam <lshoujun at yahoo.com>
>> Cc: Daniel J Walsh <dwalsh at redhat.com>; fedora-selinux-list at redhat.com
>> Sent: Saturday, July 28, 2007 5:28:25 PM
>> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>>
>>
>> Louis Lam wrote:
>>> My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so...
>>>
>>> 2. Created a domain transition so that the vmware user programs e.g.
>>> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are
>>> labelleled system_u:object_r:vmware_exec_t will transit to
>>> system_u:object_r:vmware_t when executed. I put it also in vmware.te:
>>>
>>> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
>>>
>>> but
>>>  on making the vmware.pp module I get this warning and error:
>>>
>>> 'syntax error' at token '1' on line 81143:
>>> #line 13
>>>     allow $1_t vmware_exec_t: file {getattr read execute};
>> this rule is generated by domain_auto_trans, so i think the
>> syntax error should be caused by other rules.
>>
>> you may check other rules in your policy.
>>
>>> Thanks in advance,
>>> Louis
>>>
>>>
>>> ----- Original Message ----
>>> From: Louis Lam <lshoujun at yahoo.com>
>>> To: Daniel J Walsh <dwalsh at redhat.com>
>>> Cc: fedora-selinux-list at redhat.com
>>> Sent: Friday, July 27, 2007 5:05:05 AM
>>> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>>>
>>> Thanks Daniel for the information, hi everyone
>>>
>>> I've tried to make the following changes:
>>>
>>> 1. Defined the vmware_t type in vmware.te:
>>> type vmware_t;
>>>
>>> I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if?
>> type definition should be in vmware.te
>>
>> Send instant messages to your online friends http://uk.messenger.yahoo.com 
> 
> 
> 
> 
> 
> 
> 
> Send instant messages to your online friends http://uk.messenger.yahoo.com

More information about the fedora-selinux-list mailing list