Containing vmware player 2.0.0 with SELINUX

Daniel J Walsh dwalsh at redhat.com
Fri Jul 13 11:17:12 UTC 2007 

Ken YANG wrote:
> Daniel J Walsh wrote:
>   
>> Louis Lam wrote:
>>     
>>> Hi all,
>>>
>>> At this point i'm still trying to use SELINUX to "contain" vmware
>>> player, making it run in
>>> targeted mode.
>>>
>>> I'm still rather new to this but through the help of Ken, i've been
>>> able to manipulate modules and
>>> get it to "affect" the vmware player but at this point my vmware
>>> player is still "broken".
>>> Would anyone be able to share their configurations (.te,.fc,.if) file
>>> if you've managed to get it
>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
>>> working with Fedora 7 but
>>> intend to port it back to RHEL 5.
>>>
>>> I've downloaded the latest reference policy from oss and examined the
>>> vmware relevant files. From
>>> examining the vmware.fc  and
>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
>>> vmware.fc file could have been written for an older/different version
>>> of vmware where the vmnet
>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
>>> 2/workstation 6. Which
>>> version was it written for?
>>>
>>>   
>>>       
>> There is vmware policy that we are starting to use in Rawhide (fc8)
>>     
>>> I went on to modify the vmware.fc file and managed to compile and load
>>> the vmware.pp module. But
>>> currently this affected the vmware services at startup, e.g.
>>> vmnet-dhcpd. For vmware, when
>>> something fails to start, it would ask me to rum vmware-config.pl
>>> again when i restart it. Doing
>>> this would recreate the /dev/vmnet* files over again but it will not
>>> have the right context,
>>> defaulting to "device_t" instead of "vmware_device_t" that i have
>>> modified. The line in my
>>> vmware.fc looks like this:
>>>
>>> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>
>>> I was thinking that if the script has created a new /dev/vmnet file it
>>> would automatically use the
>>> vmware_device_t context but it didn't. Did i miss out anything?
>>>   
>>>       
>> The problem here is the script is running as initrc_t which has no rules
>> when creating devices in directories labeled device_t (/dev)  So it uses
>> the default and labels the devices the same as the directory.  Usually
>> when we have this situation, we just run restorecon /dev/XYZ after the
>> creation,
>> for example
>>
>> mknod /dev/XYZ
>> chmod 666 /dev/XYZ
>> restorecon /dev/XYZ
>>     
>
> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
> who create such devices:
>
> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2
>
>
> i notice "/dev" is tmpfs:
>
> -(:14:45:$)-> cat /proc/mounts
> rootfs / rootfs rw 0 0
> /dev/root / ext3 rw,data=ordered 0 0
> /dev /dev tmpfs rw 0 0
> ......
>
> i want to add rules in policy:
>
> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
>
> additionally i don't know what type of the net-services.sh, now it is:
>
> ... root root user_u:object_r:lib_t   /usr/lib/vmware/net-services.sh
>
>
> is this method appropriate?
>
>
>
>
>   
>>> What is the two "--" on the line mean? are they significant?
>>>   
>>>       
>> The -- indicates that this matches only files.
>>
>> -d directories
>> -s sock_file
>> -l link file
>> -c char_file
>> ...
>>
>> Second character matches the first character of the ls -l line
>>
>> ls -l /dev/ttyS0
>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
>>
>> If you have no option specified it would match any file type.
>>
>> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
>> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
>> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>
>>
>> Would match only "Regular files" with this labels.  So you would be
>> better off with -c (or -b if they are block devices).
>>     
>>> Sorry about the long post, any help or advice? Thanks.
>>>
>>> Louis
>>> Send instant messages to your online friends
>>> http://uk.messenger.yahoo.com
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>   
>>>       
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>     
>
>   

One approach to this would be to label the /etc/init.d/vmware script 
vmware_initrc_exec_t and then setup the proper transitions.

This is something we are considering for RBAC.  For example we want to 
allow the webadm_t to be able to only restart/execute the httpd
script.  Currently we have to allow him to execute any initrc script, 
although we can prevent him from starting other confined domains.
A cleaner solution might be to label the script differently and setup 
another domain for the script to transition to.

More information about the fedora-selinux-list mailing list