Containing vmware player 2.0.0 with SELINUX

Louis Lam lshoujun at yahoo.com
Mon Jul 16 06:38:06 UTC 2007 

Hi All,

I managed to get the vmware host services e.g. vmnet-bridge, vmnet-dhcpd etc... to be running in
vmware_host_t domain. I did it by modifying the net-services.sh as described in an earlier post.

Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it is similar for vmware ws 6) to
run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
system_u:object_r:vmware_exec_t. But it turns out that /usr/bin/vmplayer is a script that would in
turn execute /usr/lib/vmware/bin/vmplayer. I have chcon /usr/lib/vmware/bin/vmplayer to
system_u:object_r:vmware_exec_t but still it runs in unconfined_t when i launched it. I seems like
the domain transition didn't take place. Please help.

1. What should be the context for the /usr/bin/vmplayer script? Does it affect the transition of
the actual executable /usr/lib/vmware/bin/vmplayer?

2. For those who could get vmware workstation 6 to run how did you get it to run in vmware_t
domain? 


THanks,
Louis

--- Daniel J Walsh <dwalsh at redhat.com> wrote:

> Ken YANG wrote:
> > Daniel J Walsh wrote:
> >   
> >> Louis Lam wrote:
> >>     
> >>> Hi all,
> >>>
> >>> At this point i'm still trying to use SELINUX to "contain" vmware
> >>> player, making it run in
> >>> targeted mode.
> >>>
> >>> I'm still rather new to this but through the help of Ken, i've been
> >>> able to manipulate modules and
> >>> get it to "affect" the vmware player but at this point my vmware
> >>> player is still "broken".
> >>> Would anyone be able to share their configurations (.te,.fc,.if) file
> >>> if you've managed to get it
> >>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
> >>> working with Fedora 7 but
> >>> intend to port it back to RHEL 5.
> >>>
> >>> I've downloaded the latest reference policy from oss and examined the
> >>> vmware relevant files. From
> >>> examining the vmware.fc  and
> >>> "/etc/selinux/targeted/modules/active/file_context", seems like the
> >>> vmware.fc file could have been written for an older/different version
> >>> of vmware where the vmnet
> >>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
> >>> 2/workstation 6. Which
> >>> version was it written for?
> >>>
> >>>   
> >>>       
> >> There is vmware policy that we are starting to use in Rawhide (fc8)
> >>     
> >>> I went on to modify the vmware.fc file and managed to compile and load
> >>> the vmware.pp module. But
> >>> currently this affected the vmware services at startup, e.g.
> >>> vmnet-dhcpd. For vmware, when
> >>> something fails to start, it would ask me to rum vmware-config.pl
> >>> again when i restart it. Doing
> >>> this would recreate the /dev/vmnet* files over again but it will not
> >>> have the right context,
> >>> defaulting to "device_t" instead of "vmware_device_t" that i have
> >>> modified. The line in my
> >>> vmware.fc looks like this:
> >>>
> >>> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>
> >>> I was thinking that if the script has created a new /dev/vmnet file it
> >>> would automatically use the
> >>> vmware_device_t context but it didn't. Did i miss out anything?
> >>>   
> >>>       
> >> The problem here is the script is running as initrc_t which has no rules
> >> when creating devices in directories labeled device_t (/dev)  So it uses
> >> the default and labels the devices the same as the directory.  Usually
> >> when we have this situation, we just run restorecon /dev/XYZ after the
> >> creation,
> >> for example
> >>
> >> mknod /dev/XYZ
> >> chmod 666 /dev/XYZ
> >> restorecon /dev/XYZ
> >>     
> >
> > as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
> > who create such devices:
> >
> > http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2
> >
> >
> > i notice "/dev" is tmpfs:
> >
> > -(:14:45:$)-> cat /proc/mounts
> > rootfs / rootfs rw 0 0
> > /dev/root / ext3 rw,data=ordered 0 0
> > /dev /dev tmpfs rw 0 0
> > ......
> >
> > i want to add rules in policy:
> >
> > type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
> >
> > additionally i don't know what type of the net-services.sh, now it is:
> >
> > ... root root user_u:object_r:lib_t   /usr/lib/vmware/net-services.sh
> >
> >
> > is this method appropriate?
> >
> >
> >
> >
> >   
> >>> What is the two "--" on the line mean? are they significant?
> >>>   
> >>>       
> >> The -- indicates that this matches only files.
> >>
> >> -d directories
> >> -s sock_file
> >> -l link file
> >> -c char_file
> >> ...
> >>
> >> Second character matches the first character of the ls -l line
> >>
> >> ls -l /dev/ttyS0
> >> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
> >>
> >> If you have no option specified it would match any file type.
> >>
> >> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>
> >>
> >> Would match only "Regular files" with this labels.  So you would be
> >> better off with -c (or -b if they are block devices).
> >>     
> >>> Sorry about the long post, any help or advice? Thanks.
> >>>
> >>> Louis
> >>> Send instant messages to your online friends
> >>> http://uk.messenger.yahoo.com
> >>> -- 
> >>> fedora-selinux-list mailing list
> >>> fedora-selinux-list at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>   
> >>>       
> >> -- 
> >> fedora-selinux-list mailing list
> >> fedora-selinux-list at redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>
> >>     
> >
> >   
> 
> One approach to this would be to label the /etc/init.d/vmware script 
> vmware_initrc_exec_t and then setup the proper transitions.
> 
> This is something we are considering for RBAC.  For example we want to 
> allow the webadm_t to be able to only restart/execute the httpd
> script.  Currently we have to allow him to execute any initrc script, 
> although we can prevent him from starting other confined domains.
> A cleaner solution might be to label the script differently and setup 
> another domain for the script to transition to.
> 


Send instant messages to your online friends http://uk.messenger.yahoo.com

More information about the fedora-selinux-list mailing list