Thanks Daniel for the information, hi everyone
I've tried to make the following changes:
1. Defined the vmware_t type in vmware.te:
type vmware_t;
I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if?
2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te:
domain_entry_file($1_t, vmware_exec_t, $1_vmware_t)
but on making the vmware.pp module I get this warning and error:
'syntax error' at token '1' on line 81143:
#line 13
allow $1_t vmware_exec_t: file entrypoint;
Not very sure what this means and how it should be corrected.
Thanks in advance,
Louis
I've tried to make the following changes:
1. Defined the vmware_t type in vmware.te:
type vmware_t;
I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if?
2. Created a domain transition so that the vmware user programs e.g. /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are labelleled system_u:object_r:vmware_exec_t will transit to system_u:object_r:vmware_t when executed. I put it also in vmware.te:
domain_entry_file($1_t, vmware_exec_t, $1_vmware_t)
but on making the vmware.pp module I get this warning and error:
'syntax error' at token '1' on line 81143:
#line 13
allow $1_t vmware_exec_t: file entrypoint;
Not very sure what this means and how it should be corrected.
Thanks in advance,
Louis
----- Original Message ----
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: Louis Lam <lshoujun@xxxxxxxxx>
Cc: Ken YANG <spng.yang@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
Sent: Wednesday, July 25, 2007 3:12:56 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: Louis Lam <lshoujun@xxxxxxxxx>
Cc: Ken YANG <spng.yang@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
Sent: Wednesday, July 25, 2007 3:12:56 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
> Hi All,
>
> Still on the topic of transition between a file vmware_exec_t to vmware_t.
>
> Under the vmware.if file, there is a:
>
> domain_entry_file($1_vmware_t, vmware_exec_t)
> role $3 types $1_vmware_t
>
> Is this a rule that allows files marked with vmware_exec_t to transit
> to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on
> this but i see these $1, $2 things appear in a lot of places which
> confuse me. Can anyone point me to a place to learn more about the
> substitutions?
>
This just says that files labeled vmware_exec_t can be used as
entrypoints into the $1_vmware_t, where $1 is a user type. "user",
"staff", "guest", "xguest". The next line specifies which roles can
reach the specified domain. No transition rules have been defined.
> For the transition to take place I'd probably need to add something
> like this:
>
> domain_auto_trans(initrc_t, vmware_exec_t, vmware_t)
>
Yes this allows it to reach this particular domain. But to reach the
user domains defined above.
domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
or
domain_auto_trans(user_t, vmware_exec_t, user_vmware_t)
> That is following the suggestion below by Daniel to make the
> /usr/bin/vmplayer script initrc_exec_t.
>
> But not too sure where to place this statement, in vmware.te?
>
> I tried that but get a compilation error
>
> vmware.te:13:ERROR: 'unknown type vmware_t' at token ';'
>
Yes I was mistaken. That is not the way the policy is written. ( I
guess I should read before I speak.)
If you want to get vmware to transition from unconfined_t you will have
to write the transition rules from uncofined_t to unconfined_vmware_t.
> I thought vmware_t has been defined in vmware.if?
>
> Thanks in Advance,
> Best Regards,
> Louis
>
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> To: Louis Lam <lshoujun@xxxxxxxxx>
> Cc: Ken YANG <spng.yang@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
> Sent: Monday, July 16, 2007 1:24:00 PM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>
> Louis Lam wrote:
> > Hi All,
> >
> > I managed to get the vmware host services e.g. vmnet-bridge,
> vmnet-dhcpd etc... to be running in
> > vmware_host_t domain. I did it by modifying the net-services.sh as
> described in an earlier post.
> >
> > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it
> is similar for vmware ws 6) to
> > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
> > system_u:object_r:vmware_exec_t. But it turns out that
> /usr/bin/vmplayer is a script that would in
> > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon
> /usr/lib/vmware/bin/vmplayer to
> > system_u:object_r:vmware_exec_t but still it runs in unconfined_t
> when i launched it. I seems like
> > the domain transition didn't take place. Please help.
> >
> > 1. What should be the context for the /usr/bin/vmplayer script? Does
> it affect the transition of
> > the actual executable /usr/lib/vmware/bin/vmplayer?
> >
> > 2. For those who could get vmware workstation 6 to run how did you
> get it to run in vmware_t
> > domain?
> >
> >
> There is currently no transition from unconfined_t to vmware_t. So the
> only way to get
> the transition to happen is through the initrc script. You could label
> the vmplayer script
> initrc_exec_t and the transitions should happen properly.
> > THanks,
> > Louis
> >
> > --- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> >
> >
> >> Ken YANG wrote:
> >>
> >>> Daniel J Walsh wrote:
> >>>
> >>>
> >>>> Louis Lam wrote:
> >>>>
> >>>>
> >>>>> Hi all,
> >>>>>
> >>>>> At this point i'm still trying to use SELINUX to "contain" vmware
> >>>>> player, making it run in
> >>>>> targeted mode.
> >>>>>
> >>>>> I'm still rather new to this but through the help of Ken, i've been
> >>>>> able to manipulate modules and
> >>>>> get it to "affect" the vmware player but at this point my vmware
> >>>>> player is still "broken".
> >>>>> Would anyone be able to share their configurations (.te,.fc,.if)
> file
> >>>>> if you've managed to get it
> >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
> >>>>> working with Fedora 7 but
> >>>>> intend to port it back to RHEL 5.
> >>>>>
> >>>>> I've downloaded the latest reference policy from oss and
> examined the
> >>>>> vmware relevant files. From
> >>>>> examining the vmware.fc and
> >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
> >>>>> vmware.fc file could have been written for an older/different
> version
> >>>>> of vmware where the vmnet
> >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
> >>>>> 2/workstation 6. Which
> >>>>> version was it written for?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> There is vmware policy that we are starting to use in Rawhide (fc8)
> >>>>
> >>>>
> >>>>> I went on to modify the vmware.fc file and managed to compile
> and load
> >>>>> the vmware.pp module. But
> >>>>> currently this affected the vmware services at startup, e.g.
> >>>>> vmnet-dhcpd. For vmware, when
> >>>>> something fails to start, it would ask me to rum vmware-config.pl
> >>>>> again when i restart it. Doing
> >>>>> this would recreate the /dev/vmnet* files over again but it will not
> >>>>> have the right context,
> >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have
> >>>>> modified. The line in my
> >>>>> vmware.fc looks like this:
> >>>>>
> >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>>
> >>>>> I was thinking that if the script has created a new /dev/vmnet
> file it
> >>>>> would automatically use the
> >>>>> vmware_device_t context but it didn't. Did i miss out anything?
> >>>>>
> >>>>>
> >>>>>
> >>>> The problem here is the script is running as initrc_t which has
> no rules
> >>>> when creating devices in directories labeled device_t (/dev) So
> it uses
> >>>> the default and labels the devices the same as the
> directory. Usually
> >>>> when we have this situation, we just run restorecon /dev/XYZ
> after the
> >>>> creation,
> >>>> for example
> >>>>
> >>>> mknod /dev/XYZ
> >>>> chmod 666 /dev/XYZ
> >>>> restorecon /dev/XYZ
> >>>>
> >>>>
> >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
> >>> who create such devices:
> >>>
> >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2
> <http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2>
> >>>
> >>>
> >>> i notice "/dev" is tmpfs:
> >>>
> >>> -(:14:45:$)-> cat /proc/mounts
> >>> rootfs / rootfs rw 0 0
> >>> /dev/root / ext3 rw,data="" 0 0
> >>> /dev /dev tmpfs rw 0 0
> >>> ......
> >>>
> >>> i want to add rules in policy:
> >>>
> >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
> >>>
> >>> additionally i don't know what type of the net-services.sh, now it is:
> >>>
> >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh
> >>>
> >>>
> >>> is this method appropriate?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>> What is the two "--" on the line mean? are they significant?
> >>>>>
> >>>>>
> >>>>>
> >>>> The -- indicates that this matches only files.
> >>>>
> >>>> -d directories
> >>>> -s sock_file
> >>>> -l link file
> >>>> -c char_file
> >>>> ...
> >>>>
> >>>> Second character matches the first character of the ls -l line
> >>>>
> >>>> ls -l /dev/ttyS0
> >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
> >>>>
> >>>> If you have no option specified it would match any file type.
> >>>>
> >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>
> >>>>
> >>>> Would match only "Regular files" with this labels. So you would be
> >>>> better off with -c (or -b if they are block devices).
> >>>>
> >>>>
> >>>>> Sorry about the long post, any help or advice? Thanks.
> >>>>>
> >>>>> Louis
> >>>>> Send instant messages to your online friends
> >>>>> http://uk.messenger.yahoo.com
> >>>>> --
> >>>>> fedora-selinux-list mailing list
> >>>>> fedora-selinux-list@xxxxxxxxxx
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>>
> >>>>>
> >>>>>
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list@xxxxxxxxxx
> >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >> One approach to this would be to label the /etc/init.d/vmware script
> >> vmware_initrc_exec_t and then setup the proper transitions.
> >>
> >> This is something we are considering for RBAC. For example we want to
> >> allow the webadm_t to be able to only restart/execute the httpd
> >> script. Currently we have to allow him to execute any initrc script,
> >> although we can prevent him from starting other confined domains.
> >> A cleaner solution might be to label the script differently and setup
> >> another domain for the script to transition to.
> >>
> >>
> >
> >
> > Send instant messages to your online friends
> http://uk.messenger.yahoo.com
> >
>
>
>
> Send instant messages to your online friends
> http://uk.messenger.yahoo.com
> Hi All,
>
> Still on the topic of transition between a file vmware_exec_t to vmware_t.
>
> Under the vmware.if file, there is a:
>
> domain_entry_file($1_vmware_t, vmware_exec_t)
> role $3 types $1_vmware_t
>
> Is this a rule that allows files marked with vmware_exec_t to transit
> to vmware_t? What does the $1,$2,$3 represent? Pardon my ignorance on
> this but i see these $1, $2 things appear in a lot of places which
> confuse me. Can anyone point me to a place to learn more about the
> substitutions?
>
This just says that files labeled vmware_exec_t can be used as
entrypoints into the $1_vmware_t, where $1 is a user type. "user",
"staff", "guest", "xguest". The next line specifies which roles can
reach the specified domain. No transition rules have been defined.
> For the transition to take place I'd probably need to add something
> like this:
>
> domain_auto_trans(initrc_t, vmware_exec_t, vmware_t)
>
Yes this allows it to reach this particular domain. But to reach the
user domains defined above.
domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
or
domain_auto_trans(user_t, vmware_exec_t, user_vmware_t)
> That is following the suggestion below by Daniel to make the
> /usr/bin/vmplayer script initrc_exec_t.
>
> But not too sure where to place this statement, in vmware.te?
>
> I tried that but get a compilation error
>
> vmware.te:13:ERROR: 'unknown type vmware_t' at token ';'
>
Yes I was mistaken. That is not the way the policy is written. ( I
guess I should read before I speak.)
If you want to get vmware to transition from unconfined_t you will have
to write the transition rules from uncofined_t to unconfined_vmware_t.
> I thought vmware_t has been defined in vmware.if?
>
> Thanks in Advance,
> Best Regards,
> Louis
>
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> To: Louis Lam <lshoujun@xxxxxxxxx>
> Cc: Ken YANG <spng.yang@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
> Sent: Monday, July 16, 2007 1:24:00 PM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>
> Louis Lam wrote:
> > Hi All,
> >
> > I managed to get the vmware host services e.g. vmnet-bridge,
> vmnet-dhcpd etc... to be running in
> > vmware_host_t domain. I did it by modifying the net-services.sh as
> described in an earlier post.
> >
> > Next I tried to get vmplayer (i'm using vmware player 2.0.0 but it
> is similar for vmware ws 6) to
> > run in vmware_t domain. First i tried to chcon /usr/bin/vmplayer to
> > system_u:object_r:vmware_exec_t. But it turns out that
> /usr/bin/vmplayer is a script that would in
> > turn execute /usr/lib/vmware/bin/vmplayer. I have chcon
> /usr/lib/vmware/bin/vmplayer to
> > system_u:object_r:vmware_exec_t but still it runs in unconfined_t
> when i launched it. I seems like
> > the domain transition didn't take place. Please help.
> >
> > 1. What should be the context for the /usr/bin/vmplayer script? Does
> it affect the transition of
> > the actual executable /usr/lib/vmware/bin/vmplayer?
> >
> > 2. For those who could get vmware workstation 6 to run how did you
> get it to run in vmware_t
> > domain?
> >
> >
> There is currently no transition from unconfined_t to vmware_t. So the
> only way to get
> the transition to happen is through the initrc script. You could label
> the vmplayer script
> initrc_exec_t and the transitions should happen properly.
> > THanks,
> > Louis
> >
> > --- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> >
> >
> >> Ken YANG wrote:
> >>
> >>> Daniel J Walsh wrote:
> >>>
> >>>
> >>>> Louis Lam wrote:
> >>>>
> >>>>
> >>>>> Hi all,
> >>>>>
> >>>>> At this point i'm still trying to use SELINUX to "contain" vmware
> >>>>> player, making it run in
> >>>>> targeted mode.
> >>>>>
> >>>>> I'm still rather new to this but through the help of Ken, i've been
> >>>>> able to manipulate modules and
> >>>>> get it to "affect" the vmware player but at this point my vmware
> >>>>> player is still "broken".
> >>>>> Would anyone be able to share their configurations (.te,.fc,.if)
> file
> >>>>> if you've managed to get it
> >>>>> to work with vmware player or vmware-workstation 6 ? CUrrently i'm
> >>>>> working with Fedora 7 but
> >>>>> intend to port it back to RHEL 5.
> >>>>>
> >>>>> I've downloaded the latest reference policy from oss and
> examined the
> >>>>> vmware relevant files. From
> >>>>> examining the vmware.fc and
> >>>>> "/etc/selinux/targeted/modules/active/file_context", seems like the
> >>>>> vmware.fc file could have been written for an older/different
> version
> >>>>> of vmware where the vmnet
> >>>>> devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer
> >>>>> 2/workstation 6. Which
> >>>>> version was it written for?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> There is vmware policy that we are starting to use in Rawhide (fc8)
> >>>>
> >>>>
> >>>>> I went on to modify the vmware.fc file and managed to compile
> and load
> >>>>> the vmware.pp module. But
> >>>>> currently this affected the vmware services at startup, e.g.
> >>>>> vmnet-dhcpd. For vmware, when
> >>>>> something fails to start, it would ask me to rum vmware-config.pl
> >>>>> again when i restart it. Doing
> >>>>> this would recreate the /dev/vmnet* files over again but it will not
> >>>>> have the right context,
> >>>>> defaulting to "device_t" instead of "vmware_device_t" that i have
> >>>>> modified. The line in my
> >>>>> vmware.fc looks like this:
> >>>>>
> >>>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>>
> >>>>> I was thinking that if the script has created a new /dev/vmnet
> file it
> >>>>> would automatically use the
> >>>>> vmware_device_t context but it didn't. Did i miss out anything?
> >>>>>
> >>>>>
> >>>>>
> >>>> The problem here is the script is running as initrc_t which has
> no rules
> >>>> when creating devices in directories labeled device_t (/dev) So
> it uses
> >>>> the default and labels the devices the same as the
> directory. Usually
> >>>> when we have this situation, we just run restorecon /dev/XYZ
> after the
> >>>> creation,
> >>>> for example
> >>>>
> >>>> mknod /dev/XYZ
> >>>> chmod 666 /dev/XYZ
> >>>> restorecon /dev/XYZ
> >>>>
> >>>>
> >>> as tom said, it seemed that it's "$vmdb_answer_LIBDIR"/net-services.sh
> >>> who create such devices:
> >>>
> >>> http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2
> <http://marc.info/?l=fedora-selinux-list&m=118407622004161&w=2>
> >>>
> >>>
> >>> i notice "/dev" is tmpfs:
> >>>
> >>> -(:14:45:$)-> cat /proc/mounts
> >>> rootfs / rootfs rw 0 0
> >>> /dev/root / ext3 rw,data="" 0 0
> >>> /dev /dev tmpfs rw 0 0
> >>> ......
> >>>
> >>> i want to add rules in policy:
> >>>
> >>> type_transition "vmware type" tmpfs_t : chr_file vmware_device_t;
> >>>
> >>> additionally i don't know what type of the net-services.sh, now it is:
> >>>
> >>> ... root root user_u:object_r:lib_t /usr/lib/vmware/net-services.sh
> >>>
> >>>
> >>> is this method appropriate?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>> What is the two "--" on the line mean? are they significant?
> >>>>>
> >>>>>
> >>>>>
> >>>> The -- indicates that this matches only files.
> >>>>
> >>>> -d directories
> >>>> -s sock_file
> >>>> -l link file
> >>>> -c char_file
> >>>> ...
> >>>>
> >>>> Second character matches the first character of the ls -l line
> >>>>
> >>>> ls -l /dev/ttyS0
> >>>> crw-rw---- 1 root uucp 4, 64 2007-07-11 19:07 /dev/ttyS0
> >>>>
> >>>> If you have no option specified it would match any file type.
> >>>>
> >>>> /dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>> /dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
> >>>>
> >>>>
> >>>> Would match only "Regular files" with this labels. So you would be
> >>>> better off with -c (or -b if they are block devices).
> >>>>
> >>>>
> >>>>> Sorry about the long post, any help or advice? Thanks.
> >>>>>
> >>>>> Louis
> >>>>> Send instant messages to your online friends
> >>>>> http://uk.messenger.yahoo.com
> >>>>> --
> >>>>> fedora-selinux-list mailing list
> >>>>> fedora-selinux-list@xxxxxxxxxx
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>>
> >>>>>
> >>>>>
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list@xxxxxxxxxx
> >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >> One approach to this would be to label the /etc/init.d/vmware script
> >> vmware_initrc_exec_t and then setup the proper transitions.
> >>
> >> This is something we are considering for RBAC. For example we want to
> >> allow the webadm_t to be able to only restart/execute the httpd
> >> script. Currently we have to allow him to execute any initrc script,
> >> although we can prevent him from starting other confined domains.
> >> A cleaner solution might be to label the script differently and setup
> >> another domain for the script to transition to.
> >>
> >>
> >
> >
> > Send instant messages to your online friends
> http://uk.messenger.yahoo.com
> >
>
>
>
> Send instant messages to your online friends
> http://uk.messenger.yahoo.com
Send instant messages to your online friends http://uk.messenger.yahoo.com
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list