Skip top menus
National Security Agency and Central Security Service with agency logos.NSA/CSS Memorial Wall
Home    About NSA    Research    Business    Careers    Public Info    History
Introduction to Research    Security-Enhanced Linux    Information Assurance Research    Technology Transfer    Publications    Related Links

>>SELinux Mailing List: by thread

Search
What's new?
Contents
Overview
What's New
Frequently Asked Questions
Background
Documentation
License
Download
Participating
Mail List
Archive Summary
Archive by Thread
Archive by Author
Archive by Date
Archive by Subject
Remaining Work
Contributors
Related Work
Press Releases
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
From: Westerman, Mark <Mark.Westerman_at_csoconline.com>
subject: Rules for SELinux in a vmware session
Date: Fri, 25 Jan 2002 12:16:59 -0600
  • This message: [ Message body ]
  • Next message: Paul Krumviede: "Re: network and module problems"
  • Previous message: Stephen Smalley: "Re: network and module problems"
  • Next in thread: paul krumviede: "Re: Rules for SELinux in a vmware session"
  • Reply: paul krumviede: "Re: Rules for SELinux in a vmware session"

I created the following rule for running selinux in a vmware session.

I currently have a prototype vmware domain for the host OS.

File: policy/domains/program/modutil.te

allow depmod_t etc_runtime_t:lnk_file r_file_perms;

File: policy/domains/system/initrc.te
# Read conf.modules.
# Added lnk_file for vmware session

allow initrc_t modules_conf_t:{ file lnk_file } r_file_perms;

File: policy/domains/system/kmod.te
# Read conf.modules.
# Additions for vmware session

allow kmod_t modules_conf_t:{ file lnk_file } r_file_perms; allow kmod_t etc_runtime_t:lnk_file { read };

File: setfiles/file_contexts
# Added for vmware session

/etc/modules.conf(|.*) system_u:object_r:modules_conf_t 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
From: paul krumviede <pwk_at_acm.org>
subject: Re: Rules for SELinux in a vmware session
Date: Fri, 25 Jan 2002 10:44:45 -0800
  • This message: [ Message body ]
  • Next message: Stephen Smalley: "Re: network and module problems"
  • Previous message: Timothy Wood: "Re: network and module problems"
  • In reply to: Westerman, Mark: "Rules for SELinux in a vmware session"

--On Friday, January 25, 2002 12:16:59 PM -0600 "Westerman, Mark" <Mark.Westerman@csoconline.com> wrote:

>
>
> I created the following rule for running selinux in a vmware session.
>
> I currently have a prototype vmware domain for the host OS.

i created something a bit more complex. i also attempted to make the policy file relatively self-contained (for example, the attached file adds the vmware_guestd_t type to the system_r role, rather than having to add it in the rbac file; this may be a matter of taste). the file is also extensively (excessively?) annotated.

it isn't yet with the newest release (the 2.4.17 kernel one) or on a redhat 7.2 system; it was done with some of the earlier releases, up to and including the 2.4.16 kernel one, with VMware 2.04 and 3.0.

> File: setfiles/file_contexts
># Added for vmware session
> /etc/modules.conf(|.*) system_u:object_r:modules_conf_t

i also added

/etc/vmware-tools/vmware-guestd system_u:object_r:vmware_guestd_exec_t

to setfiles/file_contexts.

-paul 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.




    

  • application/octet-stream attachment: vmware.te
    •
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT

Information Assurance | Signals & Intelligence        Links | Accessibility | Privacy & Security