Louis Lam wrote:
Hi all,
At this point i'm still trying to use SELINUX to "contain" vmware player, making it run in
targeted mode.
I'm still rather new to this but through the help of Ken, i've been able to manipulate modules and
get it to "affect" the vmware player but at this point my vmware player is still "broken".
Would anyone be able to share their configurations (.te,.fc,.if) file if you've managed to get it
to work with vmware player or vmware-workstation 6 ? CUrrently i'm working with Fedora 7 but
intend to port it back to RHEL 5.
I've downloaded the latest reference policy from oss and examined the vmware relevant files. From
examining the vmware.fc and "/etc/selinux/targeted/modules/active/file_context", seems like the
vmware.fc file could have been written for an older/different version of vmware where the vmnet
devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer 2/workstation 6. Which
version was it written for?
There is vmware policy that we are starting to use in Rawhide (fc8)
I went on to modify the vmware.fc file and managed to compile and load the vmware.pp module. But
currently this affected the vmware services at startup, e.g. vmnet-dhcpd. For vmware, when
something fails to start, it would ask me to rum vmware-config.pl again when i restart it. Doing
this would recreate the /dev/vmnet* files over again but it will not have the right context,
defaulting to "device_t" instead of "vmware_device_t" that i have modified. The line in my
vmware.fc looks like this:
/dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
I was thinking that if the script has created a new /dev/vmnet file it would automatically use the
vmware_device_t context but it didn't. Did i miss out anything?
The problem here is the script is running as initrc_t which has no rules
when creating devices in directories labeled device_t (/dev) So it uses
the default and labels the devices the same as the directory. Usually
when we have this situation, we just run restorecon /dev/XYZ after the
creation,
for example
mknod /dev/XYZ
chmod 666 /dev/XYZ
restorecon /dev/XYZ
What is the two "--" on the line mean? are they significant?
The -- indicates that this matches only files.
-d directories
-s sock_file
-l link file
-c char_file
...
Second character matches the first character of the ls -l line
ls -l /dev/ttyS0
crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
If you have no option specified it would match any file type.
/dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
Would match only "Regular files" with this labels. So you would be
better off with -c (or -b if they are block devices).
Sorry about the long post, any help or advice? Thanks.
Louis
Send instant messages to your online friends http://uk.messenger.yahoo.com
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
