Hi All,
Still on the topic of transition between a file vmware_exec_t to vmware_t.
Under the vmware.if file, there is a:
domain_entry_file($1_vmware_t, vmware_exec_t)
role $3 types $1_vmware_t
Is this a rule that allows files marked with vmware_exec_t to transit to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on this but i see these $1, $2 things appear in a lot of places which confuse me. Can anyone point me to a place to learn more about the substitutions?
For the transition to take place I'd probably need to add something like this:
domain_auto_trans(initrc_t, vmware_exec_t, vmware_t)
That is following the suggestion below by Daniel to make the /usr/bin/vmplayer script initrc_exec_t.
But not too sure where to place this statement, in vmware.te?
I tried that but get a compilation error
vmware.te:13:ERROR: 'unknown type vmware_t' at token ';'
I thought vmware_t has been defined in vmware.if?
Thanks in Advance,
Best Regards,
Louis
Still on the topic of transition between a file vmware_exec_t to vmware_t.
Under the vmware.if file, there is a:
domain_entry_file($1_vmware_t, vmware_exec_t)
role $3 types $1_vmware_t
Is this a rule that allows files marked with vmware_exec_t to transit to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on this but i see these $1, $2 things appear in a lot of places which confuse me. Can anyone point me to a place to learn more about the substitutions?
For the transition to take place I'd probably need to add something like this:
domain_auto_trans(initrc_t, vmware_exec_t, vmware_t)
That is following the suggestion below by Daniel to make the /usr/bin/vmplayer script initrc_exec_t.
But not too sure where to place this statement, in vmware.te?
I tried that but get a compilation error
vmware.te:13:ERROR: 'unknown type vmware_t' at token ';'
I thought vmware_t has been defined in vmware.if?
Thanks in Advance,
Best Regards,
Louis
----- Original Message ----
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: Louis Lam <lshoujun@xxxxxxxxx>
Cc: Ken YANG <spng.yang@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
Sent: Monday, July 16, 2007 1:24:00 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: Louis Lam <lshoujun@xxxxxxxxx>
Cc: Ken YANG <spng.yang@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
Sent: Monday, July 16, 2007 1:24:00 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
> Hi All,
>
> I managed to get the vmware host services e.g. vmnet-bridge, vmnet-dhcpd etc... to be running in
> vmware_host_t domain. I did it by modifying the net-services.sh as described in an earlier post.
>
> Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it is similar for vmware ws 6) to
> run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
> system_u:object_r:vmware_exec_t. But it turns out that /usr/bin/vmplayer is a script that would in
> turn execute /usr/lib/vmware/bin/vmplayer. I have chcon /usr/lib/vmware/bin/vmplayer to
> system_u:object_r:vmware_exec_t but still it runs in unconfined_t when i launched it. I seems like
> the domain transition didn't take place. Please help.
>
> 1. What should be the context for the /usr/bin/vmplayer script? Does it affect the transition of
> the actual executable /usr/lib/vmware/bin/vmplayer?
>
> 2. For those who could get vmware workstation 6 to run how did you get it to run in vmware_t
> domain?
>
>
There is currently no transition from unconfined_t to vmware_t. So the
only way to get
the transition to happen is through the initrc script. You could label
the vmplayer script
initrc_exec_t and the transitions should happen properly.
> THanks,
> Louis
>
> --- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>
>
>> Ken YANG wrote:
>>
>>> Daniel J Walsh wrote:
>>>
>>>
>>>> Louis Lam wrote:
>>>>
>>>>
>>>>> Hi all,
>>>>>
>>>>> At this point i'm still trying to use SELINUX to "contain" vmware
>>>>> player, making it run in
>>>>> targeted mode.
>>>>>
>>>>> I'm still rather new to this but through the help of Ken, i've been
>>>>> able to manipulate modules and
>>>>> get it to "affect" the vmware player but at this point my vmware
>>>>> player is still "broken".
>>>>> Would anyone be able to share their configurations (.te,.fc,.if) file
>>>>> if you've managed to get it
>>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
>>>>> working with Fedora 7 but
>>>>> intend to port it back to RHEL 5.
>>>>>
>>>>> I've downloaded the latest reference policy from oss and examined the
>>>>> vmware relevant files. From
>>>>> examining the vmware.fc and
>>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
>>>>> vmware.fc file could have been written for an older/different version
>>>>> of vmware where the vmnet
>>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
>>>>> 2/workstation 6. Which
>>>>> version was it written for?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> There is vmware policy that we are starting to use in Rawhide (fc8)
>>>>
>>>>
>>>>> I went on to modify the vmware.fc file and managed to compile and load
>>>>> the vmware.pp module. But
>>>>> currently this affected the vmware services at startup, e.g.
>>>>> vmnet-dhcpd. For vmware, when
>>>>> something fails to start, it would ask me to rum vmware-config.pl
>>>>> again when i restart it. Doing
>>>>> this would recreate the /dev/vmnet* files over again but it will not
>>>>> have the right context,
>>>>> defaulting to "device_t" instead of "vmware_device_t" that i have
>>>>> modified. The line in my
>>>>> vmware.fc looks like this:
>>>>>
>>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>>
>>>>> I was thinking that if the script has created a new /dev/vmnet file it
>>>>> would automatically use the
>>>>> vmware_device_t context but it didn't. Did i miss out anything?
>>>>>
>>>>>
>>>>>
>>>> The problem here is the script is running as initrc_t which has no rules
>>>> when creating devices in directories labeled device_t (/dev) So it uses
>>>> the default and labels the devices the same as the directory. Usually
>>>> when we have this situation, we just run restorecon /dev/XYZ after the
>>>> creation,
>>>> for example
>>>>
>>>> mknod /dev/XYZ
>>>> chmod 666 /dev/XYZ
>>>> restorecon /dev/XYZ
>>>>
>>>>
>>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
>>> who create such devices:
>>>
>>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2
>>>
>>>
>>> i notice "/dev" is tmpfs:
>>>
>>> -(:14:45:$)-> cat /proc/mounts
>>> rootfs / rootfs rw 0 0
>>> /dev/root / ext3 rw,data="" 0 0
>>> /dev /dev tmpfs rw 0 0
>>> ......
>>>
>>> i want to add rules in policy:
>>>
>>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
>>>
>>> additionally i don't know what type of the net-services.sh, now it is:
>>>
>>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh
>>>
>>>
>>> is this method appropriate?
>>>
>>>
>>>
>>>
>>>
>>>
>>>>> What is the two "--" on the line mean? are they significant?
>>>>>
>>>>>
>>>>>
>>>> The -- indicates that this matches only files.
>>>>
>>>> -d directories
>>>> -s sock_file
>>>> -l link file
>>>> -c char_file
>>>> ...
>>>>
>>>> Second character matches the first character of the ls -l line
>>>>
>>>> ls -l /dev/ttyS0
>>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
>>>>
>>>> If you have no option specified it would match any file type.
>>>>
>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>
>>>>
>>>> Would match only "Regular files" with this labels. So you would be
>>>> better off with -c (or -b if they are block devices).
>>>>
>>>>
>>>>> Sorry about the long post, any help or advice? Thanks.
>>>>>
>>>>> Louis
>>>>> Send instant messages to your online friends
>>>>> http://uk.messenger.yahoo.com
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@xxxxxxxxxx
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>
>>>>>
>>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@xxxxxxxxxx
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>>
>>>>
>>>
>>>
>> One approach to this would be to label the /etc/init.d/vmware script
>> vmware_initrc_exec_t and then setup the proper transitions.
>>
>> This is something we are considering for RBAC. For example we want to
>> allow the webadm_t to be able to only restart/execute the httpd
>> script. Currently we have to allow him to execute any initrc script,
>> although we can prevent him from starting other confined domains.
>> A cleaner solution might be to label the script differently and setup
>> another domain for the script to transition to.
>>
>>
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
>
> Hi All,
>
> I managed to get the vmware host services e.g. vmnet-bridge, vmnet-dhcpd etc... to be running in
> vmware_host_t domain. I did it by modifying the net-services.sh as described in an earlier post.
>
> Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it is similar for vmware ws 6) to
> run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
> system_u:object_r:vmware_exec_t. But it turns out that /usr/bin/vmplayer is a script that would in
> turn execute /usr/lib/vmware/bin/vmplayer. I have chcon /usr/lib/vmware/bin/vmplayer to
> system_u:object_r:vmware_exec_t but still it runs in unconfined_t when i launched it. I seems like
> the domain transition didn't take place. Please help.
>
> 1. What should be the context for the /usr/bin/vmplayer script? Does it affect the transition of
> the actual executable /usr/lib/vmware/bin/vmplayer?
>
> 2. For those who could get vmware workstation 6 to run how did you get it to run in vmware_t
> domain?
>
>
There is currently no transition from unconfined_t to vmware_t. So the
only way to get
the transition to happen is through the initrc script. You could label
the vmplayer script
initrc_exec_t and the transitions should happen properly.
> THanks,
> Louis
>
> --- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>
>
>> Ken YANG wrote:
>>
>>> Daniel J Walsh wrote:
>>>
>>>
>>>> Louis Lam wrote:
>>>>
>>>>
>>>>> Hi all,
>>>>>
>>>>> At this point i'm still trying to use SELINUX to "contain" vmware
>>>>> player, making it run in
>>>>> targeted mode.
>>>>>
>>>>> I'm still rather new to this but through the help of Ken, i've been
>>>>> able to manipulate modules and
>>>>> get it to "affect" the vmware player but at this point my vmware
>>>>> player is still "broken".
>>>>> Would anyone be able to share their configurations (.te,.fc,.if) file
>>>>> if you've managed to get it
>>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
>>>>> working with Fedora 7 but
>>>>> intend to port it back to RHEL 5.
>>>>>
>>>>> I've downloaded the latest reference policy from oss and examined the
>>>>> vmware relevant files. From
>>>>> examining the vmware.fc and
>>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
>>>>> vmware.fc file could have been written for an older/different version
>>>>> of vmware where the vmnet
>>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
>>>>> 2/workstation 6. Which
>>>>> version was it written for?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> There is vmware policy that we are starting to use in Rawhide (fc8)
>>>>
>>>>
>>>>> I went on to modify the vmware.fc file and managed to compile and load
>>>>> the vmware.pp module. But
>>>>> currently this affected the vmware services at startup, e.g.
>>>>> vmnet-dhcpd. For vmware, when
>>>>> something fails to start, it would ask me to rum vmware-config.pl
>>>>> again when i restart it. Doing
>>>>> this would recreate the /dev/vmnet* files over again but it will not
>>>>> have the right context,
>>>>> defaulting to "device_t" instead of "vmware_device_t" that i have
>>>>> modified. The line in my
>>>>> vmware.fc looks like this:
>>>>>
>>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>>
>>>>> I was thinking that if the script has created a new /dev/vmnet file it
>>>>> would automatically use the
>>>>> vmware_device_t context but it didn't. Did i miss out anything?
>>>>>
>>>>>
>>>>>
>>>> The problem here is the script is running as initrc_t which has no rules
>>>> when creating devices in directories labeled device_t (/dev) So it uses
>>>> the default and labels the devices the same as the directory. Usually
>>>> when we have this situation, we just run restorecon /dev/XYZ after the
>>>> creation,
>>>> for example
>>>>
>>>> mknod /dev/XYZ
>>>> chmod 666 /dev/XYZ
>>>> restorecon /dev/XYZ
>>>>
>>>>
>>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
>>> who create such devices:
>>>
>>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2
>>>
>>>
>>> i notice "/dev" is tmpfs:
>>>
>>> -(:14:45:$)-> cat /proc/mounts
>>> rootfs / rootfs rw 0 0
>>> /dev/root / ext3 rw,data="" 0 0
>>> /dev /dev tmpfs rw 0 0
>>> ......
>>>
>>> i want to add rules in policy:
>>>
>>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
>>>
>>> additionally i don't know what type of the net-services.sh, now it is:
>>>
>>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh
>>>
>>>
>>> is this method appropriate?
>>>
>>>
>>>
>>>
>>>
>>>
>>>>> What is the two "--" on the line mean? are they significant?
>>>>>
>>>>>
>>>>>
>>>> The -- indicates that this matches only files.
>>>>
>>>> -d directories
>>>> -s sock_file
>>>> -l link file
>>>> -c char_file
>>>> ...
>>>>
>>>> Second character matches the first character of the ls -l line
>>>>
>>>> ls -l /dev/ttyS0
>>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
>>>>
>>>> If you have no option specified it would match any file type.
>>>>
>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>
>>>>
>>>> Would match only "Regular files" with this labels. So you would be
>>>> better off with -c (or -b if they are block devices).
>>>>
>>>>
>>>>> Sorry about the long post, any help or advice? Thanks.
>>>>>
>>>>> Louis
>>>>> Send instant messages to your online friends
>>>>> http://uk.messenger.yahoo.com
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@xxxxxxxxxx
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>
>>>>>
>>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@xxxxxxxxxx
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>>
>>>>
>>>
>>>
>> One approach to this would be to label the /etc/init.d/vmware script
>> vmware_initrc_exec_t and then setup the proper transitions.
>>
>> This is something we are considering for RBAC. For example we want to
>> allow the webadm_t to be able to only restart/execute the httpd
>> script. Currently we have to allow him to execute any initrc script,
>> although we can prevent him from starting other confined domains.
>> A cleaner solution might be to label the script differently and setup
>> another domain for the script to transition to.
>>
>>
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
>
Send instant messages to your online friends http://uk.messenger.yahoo.com
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list