Daniel J Walsh wrote: > Louis Lam wrote: >> Hi all, >> >> At this point i'm still trying to use SELINUX to "contain" vmware >> player, making it run in >> targeted mode. >> >> I'm still rather new to this but through the help of Ken, i've been >> able to manipulate modules and >> get it to "affect" the vmware player but at this point my vmware >> player is still "broken". >> Would anyone be able to share their configurations (.te,.fc,.if) file >> if you've managed to get it >> to work with vmware player or vmware-workstation 6 ? CUrrently i'm >> working with Fedora 7 but >> intend to port it back to RHEL 5. >> >> I've downloaded the latest reference policy from oss and examined the >> vmware relevant files. From >> examining the vmware.fc and >> "/etc/selinux/targeted/modules/active/file_context", seems like the >> vmware.fc file could have been written for an older/different version >> of vmware where the vmnet >> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer >> 2/workstation 6. Which >> version was it written for? >> >> > There is vmware policy that we are starting to use in Rawhide (fc8) >> I went on to modify the vmware.fc file and managed to compile and load >> the vmware.pp module. But >> currently this affected the vmware services at startup, e.g. >> vmnet-dhcpd. For vmware, when >> something fails to start, it would ask me to rum vmware-config.pl >> again when i restart it. Doing >> this would recreate the /dev/vmnet* files over again but it will not >> have the right context, >> defaulting to "device_t" instead of "vmware_device_t" that i have >> modified. The line in my >> vmware.fc looks like this: >> >> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) >> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) >> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) >> >> I was thinking that if the script has created a new /dev/vmnet file it >> would automatically use the >> vmware_device_t context but it didn't. Did i miss out anything? >> > The problem here is the script is running as initrc_t which has no rules > when creating devices in directories labeled device_t (/dev) So it uses > the default and labels the devices the same as the directory. Usually > when we have this situation, we just run restorecon /dev/XYZ after the > creation, > for example > > mknod /dev/XYZ > chmod 666 /dev/XYZ > restorecon /dev/XYZ as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh who create such devices: http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 i notice "/dev" is tmpfs: -(:14:45:$)-> cat /proc/mounts rootfs / rootfs rw 0 0 /dev/root / ext3 rw,data=ordered 0 0 /dev /dev tmpfs rw 0 0 ...... i want to add rules in policy: type_transition "vmware type" tmpfs_t : chr_file vmware_device_t; additionally i don't know what type of the net-services.sh, now it is: ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh is this method appropriate? >> What is the two "--" on the line mean? are they significant? >> > The -- indicates that this matches only files. > > -d directories > -s sock_file > -l link file > -c char_file > ... > > Second character matches the first character of the ls -l line > > ls -l /dev/ttyS0 > crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0 > > If you have no option specified it would match any file type. > > /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0) > /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0) > /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0) > > > Would match only "Regular files" with this labels. So you would be > better off with -c (or -b if they are block devices). >> Sorry about the long post, any help or advice? Thanks. >> >> Louis >> Send instant messages to your online friends >> http://uk.messenger.yahoo.com >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
