Containing vmware player 2.0.0 with SELINUX

Daniel J Walsh dwalsh at redhat.com
Wed Jul 25 19:12:56 UTC 2007 

Louis Lam wrote:
> Hi All,
>
> Still on the topic of transition between a file vmware_exec_t to vmware_t.
>
> Under the vmware.if file, there is a:
>
> domain_entry_file($1_vmware_t, vmware_exec_t)
> role $3 types $1_vmware_t
>
> Is this a rule that allows files marked with vmware_exec_t to transit 
> to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on 
> this but i see these $1, $2 things appear in a lot of places which 
> confuse me. Can anyone point me to a place to learn more about the 
> substitutions?
>
This just says that files labeled vmware_exec_t can be used as 
entrypoints into the $1_vmware_t, where $1 is a user type.  "user", 
"staff", "guest", "xguest".  The next line specifies which roles can 
reach the specified domain.  No transition rules have been defined.
> For the transition to take place I'd probably need to add something 
> like this:
>
> domain_auto_trans(initrc_t, vmware_exec_t, vmware_t)
>
Yes this allows it to reach this particular domain.   But to reach the 
user domains defined above.

domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
or
domain_auto_trans(user_t, vmware_exec_t, user_vmware_t)
> That is  following the suggestion below by Daniel to make the 
> /usr/bin/vmplayer script initrc_exec_t.
>
> But not too sure where to place this statement, in vmware.te?
>
> I tried that but get a compilation error
>
> vmware.te:13:ERROR: 'unknown type vmware_t' at token ';'
>
Yes I was mistaken.  That is not the way the policy is written.  ( I 
guess I should read before I speak.)
If you want to get vmware to transition from unconfined_t  you will have 
to write the transition rules from uncofined_t to unconfined_vmware_t.
> I thought vmware_t has been defined in vmware.if?
>
> Thanks in Advance,
> Best Regards,
> Louis
>
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh at redhat.com>
> To: Louis Lam <lshoujun at yahoo.com>
> Cc: Ken YANG <spng.yang at gmail.com>; fedora-selinux-list at redhat.com
> Sent: Monday, July 16, 2007 1:24:00 PM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>
> Louis Lam wrote:
> > Hi All,
> >
> > I managed to get the vmware host services e.g. vmnet-bridge, 
> vmnet-dhcpd etc... to be running in
> > vmware_host_t domain. I did it by modifying the net-services.sh as 
> described in an earlier post.
> >
> > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it 
> is similar for vmware ws 6) to
> > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
> > system_u:object_r:vmware_exec_t. But it turns out that 
> /usr/bin/vmplayer is a script that would in
> > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon 
> /usr/lib/vmware/bin/vmplayer to
> > system_u:object_r:vmware_exec_t but still it runs in unconfined_t 
> when i launched it. I seems like
> > the domain transition didn't take place. Please help.
> >
> > 1. What should be the context for the /usr/bin/vmplayer script? Does 
> it affect the transition of
> > the actual executable /usr/lib/vmware/bin/vmplayer?
> >
> > 2. For those who could get vmware workstation 6 to run how did you 
> get it to run in vmware_t
> > domain?
> >
> >  
> There is currently no transition from unconfined_t to vmware_t.   So the
> only way to get
> the transition to happen is through the initrc script.  You could label
> the vmplayer script
> initrc_exec_t and the transitions should happen properly.
> > THanks,
> > Louis
> >
> > --- Daniel J Walsh <dwalsh at redhat.com> wrote:
> >
> >  
> >> Ken YANG wrote:
> >>    
> >>> Daniel J Walsh wrote:
> >>>  
> >>>      
> >>>> Louis Lam wrote:
> >>>>    
> >>>>        
> >>>>> Hi all,
> >>>>>
> >>>>> At this point i'm still trying to use SELINUX to "contain" vmware
> >>>>> player, making it run in
> >>>>> targeted mode.
> >>>>>
> >>>>> I'm still rather new to this but through the help of Ken, i've been
> >>>>> able to manipulate modules and
> >>>>> get it to "affect" the vmware player but at this point my vmware
> >>>>> player is still "broken".
> >>>>> Would anyone be able to share their configurations (.te,.fc,.if) 
> file
> >>>>> if you've managed to get it
> >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
> >>>>> working with Fedora 7 but
> >>>>> intend to port it back to RHEL 5.
> >>>>>
> >>>>> I've downloaded the latest reference policy from oss and 
> examined the
> >>>>> vmware relevant files. From
> >>>>> examining the vmware.fc  and
> >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
> >>>>> vmware.fc file could have been written for an older/different 
> version
> >>>>> of vmware where the vmnet
> >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
> >>>>> 2/workstation 6. Which
> >>>>> version was it written for?
> >>>>>
> >>>>>  
> >>>>>      
> >>>>>          
> >>>> There is vmware policy that we are starting to use in Rawhide (fc8)
> >>>>    
> >>>>        
> >>>>> I went on to modify the vmware.fc file and managed to compile 
> and load
> >>>>> the vmware.pp module. But
> >>>>> currently this affected the vmware services at startup, e.g.
> >>>>> vmnet-dhcpd. For vmware, when
> >>>>> something fails to start, it would ask me to rum vmware-config.pl
> >>>>> again when i restart it. Doing
> >>>>> this would recreate the /dev/vmnet* files over again but it will not
> >>>>> have the right context,
> >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have
> >>>>> modified. The line in my
> >>>>> vmware.fc looks like this:
> >>>>>
> >>>>> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>>
> >>>>> I was thinking that if the script has created a new /dev/vmnet 
> file it
> >>>>> would automatically use the
> >>>>> vmware_device_t context but it didn't. Did i miss out anything?
> >>>>>  
> >>>>>      
> >>>>>          
> >>>> The problem here is the script is running as initrc_t which has 
> no rules
> >>>> when creating devices in directories labeled device_t (/dev)  So 
> it uses
> >>>> the default and labels the devices the same as the 
> directory.  Usually
> >>>> when we have this situation, we just run restorecon /dev/XYZ 
> after the
> >>>> creation,
> >>>> for example
> >>>>
> >>>> mknod /dev/XYZ
> >>>> chmod 666 /dev/XYZ
> >>>> restorecon /dev/XYZ
> >>>>    
> >>>>        
> >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
> >>> who create such devices:
> >>>
> >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 
> <http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2>
> >>>
> >>>
> >>> i notice "/dev" is tmpfs:
> >>>
> >>> -(:14:45:$)-> cat /proc/mounts
> >>> rootfs / rootfs rw 0 0
> >>> /dev/root / ext3 rw,data=ordered 0 0
> >>> /dev /dev tmpfs rw 0 0
> >>> ......
> >>>
> >>> i want to add rules in policy:
> >>>
> >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
> >>>
> >>> additionally i don't know what type of the net-services.sh, now it is:
> >>>
> >>> ... root root user_u:object_r:lib_t   /usr/lib/vmware/net-services.sh
> >>>
> >>>
> >>> is this method appropriate?
> >>>
> >>>
> >>>
> >>>
> >>>  
> >>>      
> >>>>> What is the two "--" on the line mean? are they significant?
> >>>>>  
> >>>>>      
> >>>>>          
> >>>> The -- indicates that this matches only files.
> >>>>
> >>>> -d directories
> >>>> -s sock_file
> >>>> -l link file
> >>>> -c char_file
> >>>> ...
> >>>>
> >>>> Second character matches the first character of the ls -l line
> >>>>
> >>>> ls -l /dev/ttyS0
> >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
> >>>>
> >>>> If you have no option specified it would match any file type.
> >>>>
> >>>> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>
> >>>>
> >>>> Would match only "Regular files" with this labels.  So you would be
> >>>> better off with -c (or -b if they are block devices).
> >>>>    
> >>>>        
> >>>>> Sorry about the long post, any help or advice? Thanks.
> >>>>>
> >>>>> Louis
> >>>>> Send instant messages to your online friends
> >>>>> http://uk.messenger.yahoo.com
> >>>>> --
> >>>>> fedora-selinux-list mailing list
> >>>>> fedora-selinux-list at redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>>  
> >>>>>      
> >>>>>          
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>
> >>>>    
> >>>>        
> >>>  
> >>>      
> >> One approach to this would be to label the /etc/init.d/vmware script
> >> vmware_initrc_exec_t and then setup the proper transitions.
> >>
> >> This is something we are considering for RBAC.  For example we want to
> >> allow the webadm_t to be able to only restart/execute the httpd
> >> script.  Currently we have to allow him to execute any initrc script,
> >> although we can prevent him from starting other confined domains.
> >> A cleaner solution might be to label the script differently and setup
> >> another domain for the script to transition to.
> >>
> >>    
> >
> >
> > Send instant messages to your online friends 
> http://uk.messenger.yahoo.com
> >  
>
>
>
> Send instant messages to your online friends 
> http://uk.messenger.yahoo.com

More information about the fedora-selinux-list mailing list