Re: Containing vmware player 2.0.0 with SELINUX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Louis Lam wrote:
Hi All,

Still on the topic of transition between a file vmware_exec_t to vmware_t.

Under the vmware.if file, there is a:

domain_entry_file($1_vmware_t, vmware_exec_t)
role $3 types $1_vmware_t

Is this a rule that allows files marked with vmware_exec_t to transit to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on this but i see these $1, $2 things appear in a lot of places which confuse me. Can anyone point me to a place to learn more about the substitutions?

This just says that files labeled vmware_exec_t can be used as entrypoints into the $1_vmware_t, where $1 is a user type. "user", "staff", "guest", "xguest". The next line specifies which roles can reach the specified domain. No transition rules have been defined.
For the transition to take place I'd probably need to add something like this:

domain_auto_trans(initrc_t, vmware_exec_t, vmware_t)

Yes this allows it to reach this particular domain. But to reach the user domains defined above.

domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
or
domain_auto_trans(user_t, vmware_exec_t, user_vmware_t)
That is following the suggestion below by Daniel to make the /usr/bin/vmplayer script initrc_exec_t.

But not too sure where to place this statement, in vmware.te?

I tried that but get a compilation error

vmware.te:13:ERROR: 'unknown type vmware_t' at token ';'

Yes I was mistaken. That is not the way the policy is written. ( I guess I should read before I speak.) If you want to get vmware to transition from unconfined_t you will have to write the transition rules from uncofined_t to unconfined_vmware_t.
I thought vmware_t has been defined in vmware.if?

Thanks in Advance,
Best Regards,
Louis

----- Original Message ----
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: Louis Lam <lshoujun@xxxxxxxxx>
Cc: Ken YANG <spng.yang@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
Sent: Monday, July 16, 2007 1:24:00 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX

Louis Lam wrote:
> Hi All,
>
> I managed to get the vmware host services e.g. vmnet-bridge, vmnet-dhcpd etc... to be running in > vmware_host_t domain. I did it by modifying the net-services.sh as described in an earlier post.
>
> Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it is similar for vmware ws 6) to
> run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
> system_u:object_r:vmware_exec_t. But it turns out that /usr/bin/vmplayer is a script that would in > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon /usr/lib/vmware/bin/vmplayer to > system_u:object_r:vmware_exec_t but still it runs in unconfined_t when i launched it. I seems like
> the domain transition didn't take place. Please help.
>
> 1. What should be the context for the /usr/bin/vmplayer script? Does it affect the transition of
> the actual executable /usr/lib/vmware/bin/vmplayer?
>
> 2. For those who could get vmware workstation 6 to run how did you get it to run in vmware_t
> domain?
>
> There is currently no transition from unconfined_t to vmware_t. So the
only way to get
the transition to happen is through the initrc script.  You could label
the vmplayer script
initrc_exec_t and the transitions should happen properly.
> THanks,
> Louis
>
> --- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>
> >> Ken YANG wrote: >> >>> Daniel J Walsh wrote: >>> >>> >>>> Louis Lam wrote: >>>> >>>> >>>>> Hi all,
>>>>>
>>>>> At this point i'm still trying to use SELINUX to "contain" vmware
>>>>> player, making it run in
>>>>> targeted mode.
>>>>>
>>>>> I'm still rather new to this but through the help of Ken, i've been
>>>>> able to manipulate modules and
>>>>> get it to "affect" the vmware player but at this point my vmware
>>>>> player is still "broken".
>>>>> Would anyone be able to share their configurations (.te,.fc,.if) file
>>>>> if you've managed to get it
>>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
>>>>> working with Fedora 7 but
>>>>> intend to port it back to RHEL 5.
>>>>>
>>>>> I've downloaded the latest reference policy from oss and examined the
>>>>> vmware relevant files. From
>>>>> examining the vmware.fc  and
>>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
>>>>> vmware.fc file could have been written for an older/different version
>>>>> of vmware where the vmnet
>>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
>>>>> 2/workstation 6. Which
>>>>> version was it written for?
>>>>>
>>>>> >>>>> >>>>> >>>> There is vmware policy that we are starting to use in Rawhide (fc8) >>>> >>>> >>>>> I went on to modify the vmware.fc file and managed to compile and load
>>>>> the vmware.pp module. But
>>>>> currently this affected the vmware services at startup, e.g.
>>>>> vmnet-dhcpd. For vmware, when
>>>>> something fails to start, it would ask me to rum vmware-config.pl
>>>>> again when i restart it. Doing
>>>>> this would recreate the /dev/vmnet* files over again but it will not
>>>>> have the right context,
>>>>> defaulting to "device_t" instead of "vmware_device_t" that i have
>>>>> modified. The line in my
>>>>> vmware.fc looks like this:
>>>>>
>>>>> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>>
>>>>> I was thinking that if the script has created a new /dev/vmnet file it
>>>>> would automatically use the
>>>>> vmware_device_t context but it didn't. Did i miss out anything?
>>>>> >>>>> >>>>> >>>> The problem here is the script is running as initrc_t which has no rules >>>> when creating devices in directories labeled device_t (/dev) So it uses >>>> the default and labels the devices the same as the directory. Usually >>>> when we have this situation, we just run restorecon /dev/XYZ after the
>>>> creation,
>>>> for example
>>>>
>>>> mknod /dev/XYZ
>>>> chmod 666 /dev/XYZ
>>>> restorecon /dev/XYZ
>>>> >>>> >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
>>> who create such devices:
>>>
>>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2 <http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2>
>>>
>>>
>>> i notice "/dev" is tmpfs:
>>>
>>> -(:14:45:$)-> cat /proc/mounts
>>> rootfs / rootfs rw 0 0
>>> /dev/root / ext3 rw,data=ordered 0 0
>>> /dev /dev tmpfs rw 0 0
>>> ......
>>>
>>> i want to add rules in policy:
>>>
>>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
>>>
>>> additionally i don't know what type of the net-services.sh, now it is:
>>>
>>> ... root root user_u:object_r:lib_t   /usr/lib/vmware/net-services.sh
>>>
>>>
>>> is this method appropriate?
>>>
>>>
>>>
>>>
>>> >>> >>>>> What is the two "--" on the line mean? are they significant? >>>>> >>>>> >>>>> >>>> The -- indicates that this matches only files.
>>>>
>>>> -d directories
>>>> -s sock_file
>>>> -l link file
>>>> -c char_file
>>>> ...
>>>>
>>>> Second character matches the first character of the ls -l line
>>>>
>>>> ls -l /dev/ttyS0
>>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
>>>>
>>>> If you have no option specified it would match any file type.
>>>>
>>>> /dev/vmnet0  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>> /dev/vmnet1  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>> /dev/vmnet8  -- gen_context(system_u:object_r:vmware_device_t,s0)
>>>>
>>>>
>>>> Would match only "Regular files" with this labels.  So you would be
>>>> better off with -c (or -b if they are block devices).
>>>> >>>> >>>>> Sorry about the long post, any help or advice? Thanks.
>>>>>
>>>>> Louis
>>>>> Send instant messages to your online friends
>>>>> http://uk.messenger.yahoo.com
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@xxxxxxxxxx
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>> >>>>> >>>>> >>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@xxxxxxxxxx
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>> >>>> >>> >>> >> One approach to this would be to label the /etc/init.d/vmware script
>> vmware_initrc_exec_t and then setup the proper transitions.
>>
>> This is something we are considering for RBAC.  For example we want to
>> allow the webadm_t to be able to only restart/execute the httpd
>> script.  Currently we have to allow him to execute any initrc script,
>> although we can prevent him from starting other confined domains.
>> A cleaner solution might be to label the script differently and setup
>> another domain for the script to transition to.
>>
>> >
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com >


Send instant messages to your online friends http://uk.messenger.yahoo.com

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux