From 1399c35d813b11eb2f103f8dcfbe050fab655a71 Mon Sep 17 00:00:00 2001 From: Dave Sugar Date: Wed, 13 Dec 2023 11:52:01 -0500 Subject: [PATCH] Add support for open-vm-tools node=localhost type=AVC msg=audit(1732592552.733:8660): avc: denied { create } for pid=1006 comm="vmtoolsd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=vsock_socket permissive=0 node=localhost type=AVC msg=audit(1732592232.142:477): avc: denied { create } for pid=1005 comm="VGAuthService" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=vsock_socket permissive=0 node=localhost type=AVC msg=audit(1732592232.516:506): avc: denied { read write } for pid=1006 comm="vmtoolsd" name="card0" dev="devtmpfs" ino=275 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0 node=localhost type=AVC msg=audit(1732592232.194:479): avc: denied { create } for pid=1005 comm="VGAuthService" name="vmware" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 Signed-off-by: Dave Sugar --- policy/modules/apps/vmware.fc | 14 ++++ policy/modules/apps/vmware.if | 19 ++++++ policy/modules/apps/vmware.te | 111 +++++++++++++++++++++++++++++++ policy/modules/kernel/devices.fc | 1 + 4 files changed, 145 insertions(+) diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc index b15577212c..aadfd433fa 100644 --- a/policy/modules/apps/vmware.fc +++ b/policy/modules/apps/vmware.fc @@ -4,23 +4,37 @@ HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) /etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0) +/usr/bin/VGAuthService -- gen_context(system_u:object_r:vmware_vgauth_service_exec_t,s0) +/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmware_tools_exec_t,s0) + /usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-alias-import -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware-checkvm -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/bin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-hgfsclient -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware-namespace-cmd -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware-rpctool -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/bin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-toolbox-cmd -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware-vgauth-cmd -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware-xferlogs -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/systemd/system/vgauthd\.service -- gen_context(system_u:object_r:vmware_unit_t,s0) +/usr/lib/systemd/system/vmtoolsd\.service -- gen_context(system_u:object_r:vmware_unit_t,s0) + /usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) /usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if index ce4da54769..3e8f78b78e 100644 --- a/policy/modules/apps/vmware.if +++ b/policy/modules/apps/vmware.if @@ -71,6 +71,25 @@ interface(`vmware_exec_host',` can_exec($1, vmware_host_exec_t) ') +######################################## +## +## Execute vmware guest executables +## +## +## +## Domain allowed access. +## +## +# +interface(`vmware_exec_guest',` + gen_require(` + type vmware_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, vmware_exec_t) +') + ######################################## ## ## Read vmware system configuration files. diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index dfe8164cb3..a4b2a00c19 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -42,6 +42,24 @@ userdom_user_tmp_file(vmware_tmp_t) type vmware_tmpfs_t; userdom_user_tmpfs_file(vmware_tmpfs_t) +type vmware_tools_t; +type vmware_tools_exec_t; +init_daemon_domain(vmware_tools_t, vmware_tools_exec_t) + +type vmware_tools_tmp_t; +userdom_user_tmp_file(vmware_tools_tmp_t) + +type vmware_unit_t; +init_unit_file(vmware_unit_t) + +type vmware_var_lib_t; +files_type(vmware_var_lib_t) + +type vmware_vgauth_service_t; +type vmware_vgauth_service_exec_t; +init_daemon_domain(vmware_vgauth_service_t, vmware_vgauth_service_exec_t) + + optional_policy(` wm_application_domain(vmware_t, vmware_exec_t) ') @@ -257,3 +275,96 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(vmware_t) fs_manage_cifs_symlinks(vmware_t) ') + + +######################################## +# +# Guest vmware-tools local policy +# + +allow vmware_tools_t self:capability { net_bind_service sys_admin sys_time }; +allow vmware_tools_t self:fifo_file rw_inherited_fifo_file_perms; +allow vmware_tools_t self:netlink_route_socket { create rw_netlink_socket_perms }; +allow vmware_tools_t self:process { getsched setsched }; +allow vmware_tools_t self:udp_socket create_socket_perms; +allow vmware_tools_t self:unix_dgram_socket create_socket_perms; +allow vmware_tools_t self:unix_stream_socket create_socket_perms; +allow vmware_tools_t self:vsock_socket create_socket_perms; + +append_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t) +create_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t) +rename_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t) +setattr_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t) +logging_log_filetrans(vmware_tools_t, vmware_log_t, file) + +allow vmware_tools_t vmware_tools_tmp_t:dir { create_dir_perms delete_dir_perms }; +manage_files_pattern(vmware_tools_t, vmware_tools_tmp_t, vmware_tools_tmp_t) +files_tmp_filetrans(vmware_tools_t, vmware_tools_tmp_t, { file dir }) + +vmware_exec_guest(vmware_tools_t) + +corecmd_exec_bin(vmware_tools_t) +corecmd_exec_shell(vmware_tools_t) + +dev_read_sysfs(vmware_tools_t) +dev_read_vsock(vmware_tools_t) +dev_rw_dri(vmware_tools_t) +dev_rw_vmware(vmware_tools_t) + +files_read_etc_files(vmware_tools_t) +files_read_usr_files(vmware_tools_t) +files_search_var_lib(vmware_tools_t) + +fs_getattr_xattr_fs(vmware_tools_t) + +kernel_read_network_state(vmware_tools_t) +kernel_read_system_state(vmware_tools_t) +kernel_request_load_module(vmware_tools_t) + +dbus_system_bus_client(vmware_tools_t) + +init_read_state(vmware_tools_t) + +logging_send_syslog_msg(vmware_tools_t) + +miscfiles_read_localization(vmware_tools_t) + +systemd_dbus_chat_logind(vmware_tools_t) + +udev_read_runtime_files(vmware_tools_t) + +######################################## +# +# Guest VGAuthService local policy +# + +allow vmware_vgauth_service_t self:fifo_file rw_inherited_fifo_file_perms; +allow vmware_vgauth_service_t self:unix_dgram_socket create_socket_perms; +allow vmware_vgauth_service_t self:unix_stream_socket create_stream_socket_perms; +allow vmware_vgauth_service_t self:vsock_socket create_socket_perms; + +append_files_pattern(vmware_vgauth_service_t, vmware_log_t, vmware_log_t) +create_files_pattern(vmware_vgauth_service_t, vmware_log_t, vmware_log_t) +setattr_files_pattern(vmware_vgauth_service_t, vmware_log_t, vmware_log_t) +logging_log_filetrans(vmware_vgauth_service_t, vmware_log_t, file) + +create_dirs_pattern(vmware_vgauth_service_t, vmware_var_run_t, vmware_var_run_t) +manage_files_pattern(vmware_vgauth_service_t, vmware_var_run_t, vmware_var_run_t) +manage_sock_files_pattern(vmware_vgauth_service_t, vmware_var_run_t, vmware_var_run_t) +files_runtime_filetrans(vmware_vgauth_service_t, vmware_var_run_t, { dir file sock_file }) + +create_dirs_pattern(vmware_vgauth_service_t, vmware_var_lib_t, vmware_var_lib_t) +manage_files_pattern(vmware_vgauth_service_t, vmware_var_lib_t, vmware_var_lib_t) +files_var_lib_filetrans(vmware_vgauth_service_t, vmware_var_lib_t, dir, "vmware") + +corecmd_read_bin_files(vmware_vgauth_service_t) + +files_read_etc_files(vmware_vgauth_service_t) +files_read_usr_files(vmware_vgauth_service_t) + +kernel_request_load_module(vmware_vgauth_service_t) + +logging_send_syslog_msg(vmware_vgauth_service_t) + +miscfiles_read_generic_certs(vmware_vgauth_service_t) +miscfiles_read_localization(vmware_vgauth_service_t) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index cd4062e6fd..d476a293cf 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -149,6 +149,7 @@ ifdef(`distro_suse', ` /dev/vhost-scsi -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vhost-vsock -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vmci -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)