1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
|
policy_module(vmware, 2.5.0)
########################################
#
# Declarations
#
# VMWare user program
type vmware_t;
type vmware_exec_t;
typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
userdom_user_application_domain(vmware_t, vmware_exec_t)
type vmware_conf_t;
typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t };
userdom_user_home_content(vmware_conf_t)
type vmware_file_t;
typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t };
typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t };
userdom_user_home_content(vmware_file_t)
# VMWare host programs
type vmware_host_t;
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
type vmware_host_pid_t alias vmware_var_run_t;
files_pid_file(vmware_host_pid_t)
type vmware_host_tmp_t;
userdom_user_tmp_file(vmware_host_tmp_t)
type vmware_log_t;
typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
logging_log_file(vmware_log_t)
ubac_constrained(vmware_log_t)
type vmware_pid_t;
typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t };
files_pid_file(vmware_pid_t)
ubac_constrained(vmware_pid_t)
# Systemwide configuration files
type vmware_sys_conf_t;
files_type(vmware_sys_conf_t)
type vmware_tmp_t;
typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
userdom_user_tmp_file(vmware_tmp_t)
type vmware_tmpfs_t;
typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
userdom_user_tmpfs_file(vmware_tmpfs_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
')
########################################
#
# VMWare host local policy
#
allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
allow vmware_host_t self:tcp_socket create_socket_perms;
can_exec(vmware_host_t, vmware_host_exec_t)
# cjp: the ro and rw files should be split up
manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
kernel_read_kernel_sysctls(vmware_host_t)
kernel_read_system_state(vmware_host_t)
kernel_read_network_state(vmware_host_t)
corenet_all_recvfrom_unlabeled(vmware_host_t)
corenet_all_recvfrom_netlabel(vmware_host_t)
corenet_tcp_sendrecv_generic_if(vmware_host_t)
corenet_udp_sendrecv_generic_if(vmware_host_t)
corenet_raw_sendrecv_generic_if(vmware_host_t)
corenet_tcp_sendrecv_generic_node(vmware_host_t)
corenet_udp_sendrecv_generic_node(vmware_host_t)
corenet_raw_sendrecv_generic_node(vmware_host_t)
corenet_tcp_sendrecv_all_ports(vmware_host_t)
corenet_udp_sendrecv_all_ports(vmware_host_t)
corenet_raw_bind_generic_node(vmware_host_t)
corenet_tcp_bind_generic_node(vmware_host_t)
corenet_udp_bind_generic_node(vmware_host_t)
corenet_tcp_connect_all_ports(vmware_host_t)
corenet_sendrecv_all_client_packets(vmware_host_t)
corenet_sendrecv_all_server_packets(vmware_host_t)
corecmd_exec_bin(vmware_host_t)
corecmd_exec_shell(vmware_host_t)
dev_getattr_all_blk_files(vmware_host_t)
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
files_list_tmp(vmware_host_t)
files_read_etc_files(vmware_host_t)
files_read_etc_runtime_files(vmware_host_t)
files_read_usr_files(vmware_host_t)
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
storage_getattr_fixed_disk_dev(vmware_host_t)
term_dontaudit_use_console(vmware_host_t)
init_use_fds(vmware_host_t)
init_use_script_ptys(vmware_host_t)
libs_exec_ld_so(vmware_host_t)
logging_send_syslog_msg(vmware_host_t)
miscfiles_read_localization(vmware_host_t)
sysnet_dns_name_resolve(vmware_host_t)
sysnet_domtrans_ifconfig(vmware_host_t)
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
netutils_domtrans_ping(vmware_host_t)
optional_policy(`
hostname_exec(vmware_host_t)
')
optional_policy(`
modutils_domtrans_insmod(vmware_host_t)
')
optional_policy(`
samba_read_config(vmware_host_t)
')
optional_policy(`
seutil_sigchld_newrole(vmware_host_t)
')
optional_policy(`
shutdown_domtrans(vmware_host_t)
')
optional_policy(`
udev_read_db(vmware_host_t)
')
optional_policy(`
xserver_read_tmp_files(vmware_host_t)
xserver_read_xdm_pid(vmware_host_t)
')
##############################
#
# VMWare guest local policy
#
allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
dontaudit vmware_t self:capability sys_tty_config;
allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow vmware_t self:process { execmem execstack };
allow vmware_t self:fd use;
allow vmware_t self:fifo_file rw_fifo_file_perms;
allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow vmware_t self:shm create_shm_perms;
allow vmware_t self:sem create_sem_perms;
allow vmware_t self:msgq create_msgq_perms;
allow vmware_t self:msg { send receive };
can_exec(vmware_t, vmware_exec_t)
# User configuration files
allow vmware_t vmware_conf_t:file manage_file_perms;
# VMWare disks
manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
allow vmware_t vmware_tmp_t:file execute;
manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir })
manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Read clobal configuration files
allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
kernel_read_system_state(vmware_t)
kernel_read_network_state(vmware_t)
kernel_read_kernel_sysctls(vmware_t)
# startup scripts
corecmd_exec_bin(vmware_t)
corecmd_exec_shell(vmware_t)
dev_read_raw_memory(vmware_t)
dev_write_raw_memory(vmware_t)
dev_read_mouse(vmware_t)
dev_write_sound(vmware_t)
dev_read_realtime_clock(vmware_t)
dev_rwx_vmware(vmware_t)
dev_rw_usbfs(vmware_t)
dev_search_sysfs(vmware_t)
domain_use_interactive_fds(vmware_t)
files_read_etc_files(vmware_t)
files_read_etc_runtime_files(vmware_t)
files_read_usr_files(vmware_t)
files_list_home(vmware_t)
fs_getattr_all_fs(vmware_t)
fs_search_auto_mountpoints(vmware_t)
storage_raw_read_removable_device(vmware_t)
storage_raw_write_removable_device(vmware_t)
# startup scripts run ldd
libs_exec_ld_so(vmware_t)
# Access X11 config files
libs_read_lib_files(vmware_t)
miscfiles_read_localization(vmware_t)
userdom_use_user_terminals(vmware_t)
userdom_list_user_home_dirs(vmware_t)
# cjp: why?
userdom_read_user_home_content_files(vmware_t)
sysnet_dns_name_resolve(vmware_t)
sysnet_read_config(vmware_t)
xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
|
GitWeb