Re: Containing vmware player 2.0.0 with SELINUX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

Today i managed to make the vmplayer run in its own domain. What I did was added the statement to my vmware.te. Thanks to Ken and his suggestion (and all of the help so far), i've got the "Selinux by example" book that i've been reading as a reference.

domain_auto_trans(unconfined_t, vmware_exec_t, vmware_t)

Evident from the large amount of avc denials in setroubleshoot when i launch vmplayer, i was able to see that vmplayer was running in the context of :

root:system_r:vmware_t

Two questions from security angle on this approach though:

1. If i allow transition from unconfined_t to vmware_t, it means that any unconfined process can transit to vmware_t and be able to access the vmware files. This is probably not what i'd desire. What would be a good recommendation for this? Any best practices?

2. I still want to start vmware as a user program, probably not as a service. In that case, would I still need to do something in the vmware.if so that the domain auto trans can take on a role ?

Now that i'm able to run it under vmware_t domain, and see a lot of avcs, i intend to make vmware run properly again. I'd go with allowing whatever vmware wants to do, then tightening the security. There are a few approaches i can use, and i'd like to seek your opinions on how to go about doing it:

1. audit2allow: This will list all of the avcs and turn them into allow statements. By adding these statements to my vmware.te, this would enable vmware to function again. Problem is that i may end up with too many statements. There would probably be macros to cover these.

2. macros: This is somethings i'm not familiar with. Are there any documentation that describe some of the more commonly used macros? Or it is better just to see the source?

3. policygentool: From what i understand, this is a script that would generate a module for you. the question is how do i combine  it with the vmware source code that I've taken from the reference policy? (that i'm using now)? I forsee a lot of conflicts to be resolved. and may actually not be so clean.

Whats your take on these approach? Are there others that I've missed out?

Thanks in advance,
Louis

----- Original Message ----
From: Ken YANG <spng.yang@xxxxxxxxx>
To: Louis Lam <lshoujun@xxxxxxxxx>
Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
Sent: Tuesday, July 31, 2007 6:00:20 AM
Subject: Re: Containing vmware player 2.0.0 with SELINUX

Louis Lam wrote:
> Hi,
>
> Thanks for the reply.
>
> My conclusion is that not I'm not sure where to place the domain_auto_trans() statement. If I can't place it in the vmware.if file(since it will not be read during module compilation ) where can I put this statement? All i need to do now is to make the vmware executable run in its own domain e.g. vmware_t. But it seems more difficult than I thought.

if you want vmware program run in own domain, all necessary rules
should be in te file, e.g.

domain_auto_trans(vmware_t, vmware_host_exec_t, vmware_host_t)
(just a example)

similarly, domain_auto_trans can also used in if file, especially used
in per_role_template. All these are depend on your purpose.

to make vmware run in selinux-policy>3.0, the easiest way is to
follow what tom guid, i.e. modify the net-service.sh to restorce
label after creating device node.

but if you want to make policy contain vmware, you must resolve
the "device node label" problem, IMHO, you should use fs_use_trans
to make label automatically:

http://marc.info/?l=selinux&m=118481693028190&w=2

now, i have not time to do this, so i have not solved the problems
i encountered.


>
> Can you point me to resources to how to develop modules? Can someone help me with this problem?

"Beginning is the most difficult one, but A Good Beginning is half
the battle" :-)

after you finish the beginning, you will find it's not difficult.

The book <<SELinux by example>> is a good guide for developing modules,
but i think the best guide to develop policy is the policy source.



>
> Thanks & Regards,
> Louis
>
> ----- Original Message ----
> From: Ken YANG <spng.yang@xxxxxxxxx>
> To: Louis Lam <lshoujun@xxxxxxxxx>
> Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
> Sent: Monday, July 30, 2007 6:53:17 AM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>
> Louis Lam wrote:
>> Hi,
>>
>> I think i'm having a policy compilation problem here
>>
>> I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The syntax error problem went away.
>>
>> But the problem is that the domain transition didn't take place. My vmplayer is still running in unconfined state.
>>
>> I'm doing compilation of the vmware.pp module using make -f /usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into vmware.if to see if the compilation is effective:
>>
>> e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t)
>>
>> But the make process didn't detect any errors and the compilation still went on. I did a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory (where I do all my compilation), but there are no differences.
>>
>> Does it mean if the vmware.if file is modified it will not affect the make?
>
> as i infer (i'm not sure):
>
> the interface will not be checked, unless someone invoke it, because if
> there are not invokes, the parameter can not be determined.
>
> when you build vmware module, you will not use your own interface in
> own module, so build process will not detect error.
>
>
>
>> How do you ensure that the changes at vmware.if  effective? (well at least cause some compilation errors?)
>>
>>
>>
>> Thanks,
>> Louis
>>
>>
>>
>>
>>
>> ----- Original Message ----
>> From: Ken YANG <spng.yang@xxxxxxxxx>
>> To: Louis Lam <lshoujun@xxxxxxxxx>
>> Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
>> Sent: Saturday, July 28, 2007 5:28:25 PM
>> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>>
>>
>> Louis Lam wrote:
>>> My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so...
>>>
>>> 2. Created a domain transition so that the vmware user programs e.g.
>>> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are
>>> labelleled system_u:object_r:vmware_exec_t will transit to
>>> system_u:object_r:vmware_t when executed. I put it also in vmware.te:
>>>
>>> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
>>>
>>> but
>>>  on making the vmware.pp module I get this warning and error:
>>>
>>> 'syntax error' at token '1' on line 81143:
>>> #line 13
>>>     allow $1_t vmware_exec_t: file {getattr read execute};
>> this rule is generated by domain_auto_trans, so i think the
>> syntax error should be caused by other rules.
>>
>> you may check other rules in your policy.
>>
>>> Thanks in advance,
>>> Louis
>>>
>>>
>>> ----- Original Message ----
>>> From: Louis Lam <lshoujun@xxxxxxxxx>
>>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx>
>>> Cc: fedora-selinux-list@xxxxxxxxxx
>>> Sent: Friday, July 27, 2007 5:05:05 AM
>>> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>>>
>>> Thanks Daniel for the information, hi everyone
>>>
>>> I've tried to make the following changes:
>>>
>>> 1. Defined the vmware_t type in vmware.te:
>>> type vmware_t;
>>>
>>> I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if?
>> type definition should be in vmware.te
>>
>> Send instant messages to your online friends http://uk.messenger.yahoo.com
>
>
>
>
>
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com



Send instant messages to your online friends http://uk.messenger.yahoo.com
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux