vmware_selinux(8)

1vmware_selinux(8)            SELinux Policy vmware           vmware_selinux(8)
2
3
4

NAME

6       vmware_selinux  -  Security  Enhanced  Linux Policy for the vmware pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  vmware  processes  via  flexible
11       mandatory access control.
12
13       The  vmware  processes  execute with the vmware_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep vmware_t
20
21
22

ENTRYPOINTS

24       The  vmware_t  SELinux  type  can be entered via the vmware_exec_t file
25       type.
26
27       The default entrypoint paths for the vmware_t domain are the following:
28
29       /opt/vmware/(workstation|player)/bin/vmware,      /opt/vmware/(worksta‐
30       tion|player)/bin/vmware-ping,                     /opt/vmware/(worksta‐
31       tion|player)/bin/vmware-wizard, /usr/bin/vmware,  /usr/bin/vmware-ping,
32       /usr/bin/vmware-wizard,                       /usr/sbin/vmware-serverd,
33       /usr/lib/vmware/bin/vmplayer,            /usr/lib/vmware/bin/vmware-ui,
34       /usr/lib/vmware/bin/vmware-mks
35

PROCESS TYPES

37       SELinux defines process types (domains) for each process running on the
38       system
39
40       You can see the context of a process using the -Z option to ps
41
42       Policy governs the access confined processes have  to  files.   SELinux
43       vmware  policy  is  very  flexible allowing users to setup their vmware
44       processes in as secure a method as possible.
45
46       The following process types are defined for vmware:
47
48       vmware_t, vmware_host_t
49
50       Note: semanage permissive -a vmware_t can be used to make  the  process
51       type  vmware_t  permissive.  SELinux does not deny access to permissive
52       process types, but the AVC (SELinux denials) messages are still  gener‐
53       ated.
54
55

BOOLEANS

57       SELinux  policy is customizable based on least access required.  vmware
58       policy is extremely flexible and has several booleans that allow you to
59       manipulate the policy and run vmware with the tightest access possible.
60
61
62
63       If you want to allow all domains to execute in fips_mode, you must turn
64       on the fips_mode boolean. Enabled by default.
65
66       setsebool -P fips_mode 1
67
68
69
70       If you want to allow confined applications to use nscd  shared  memory,
71       you must turn on the nscd_use_shm boolean. Disabled by default.
72
73       setsebool -P nscd_use_shm 1
74
75
76
77       If  you  want to allow regular users direct dri device access, you must
78       turn  on  the  selinuxuser_direct_dri_enabled  boolean.   Disabled   by
79       default.
80
81       setsebool -P selinuxuser_direct_dri_enabled 1
82
83
84
85       If  you  want  to  support  NFS  home directories, you must turn on the
86       use_nfs_home_dirs boolean. Enabled by default.
87
88       setsebool -P use_nfs_home_dirs 1
89
90
91
92       If you want to support SAMBA home directories, you  must  turn  on  the
93       use_samba_home_dirs boolean. Disabled by default.
94
95       setsebool -P use_samba_home_dirs 1
96
97
98
99       If  you  want  to allows clients to write to the X server shared memory
100       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
101       abled by default.
102
103       setsebool -P xserver_clients_write_xshm 1
104
105
106

MANAGED FILES

108       The  SELinux  process  type  vmware_t can manage files labeled with the
109       following file types.  The paths listed are the default paths for these
110       file types.  Note the processes UID still need to have DAC permissions.
111
112       cifs_t
113
114
115       nfs_t
116
117
118       usbfs_t
119
120
121       user_fonts_cache_t
122
123            /root/.fontconfig(/.*)?
124            /root/.fonts/auto(/.*)?
125            /root/.fonts.cache-.*
126            /root/.cache/fontconfig(/.*)?
127            /home/[^/]+/.fontconfig(/.*)?
128            /home/[^/]+/.fonts/auto(/.*)?
129            /home/[^/]+/.fonts.cache-.*
130            /home/[^/]+/.cache/fontconfig(/.*)?
131
132       vmware_conf_t
133
134            /home/[^/]+/.vmware[^/]*/.*.cfg
135
136       vmware_file_t
137
138            /home/[^/]+/vmware(/.*)?
139            /home/[^/]+/.vmware(/.*)?
140
141       vmware_pid_t
142
143
144       vmware_tmp_t
145
146
147       vmware_tmpfs_t
148
149
150       xserver_tmpfs_t
151
152
153

FILE CONTEXTS

155       SELinux requires files to have an extended attribute to define the file
156       type.
157
158       You can see the context of a file using the -Z option to ls
159
160       Policy governs the access  confined  processes  have  to  these  files.
161       SELinux  vmware  policy  is very flexible allowing users to setup their
162       vmware processes in as secure a method as possible.
163
164       STANDARD FILE CONTEXT
165
166       SELinux defines the file context types for the vmware, if you wanted to
167       store  files  with  these types in a diffent paths, you need to execute
168       the semanage command  to  sepecify  alternate  labeling  and  then  use
169       restorecon to put the labels on disk.
170
171       semanage fcontext -a -t vmware_tmpfs_t '/srv/myvmware_content(/.*)?'
172       restorecon -R -v /srv/myvmware_content
173
174       Note:  SELinux  often  uses  regular expressions to specify labels that
175       match multiple files.
176
177       The following file types are defined for vmware:
178
179
180
181       vmware_conf_t
182
183       - Set files with the vmware_conf_t type, if you want to treat the files
184       as vmware configuration data, usually stored under the /etc directory.
185
186
187
188       vmware_exec_t
189
190       -  Set  files with the vmware_exec_t type, if you want to transition an
191       executable to the vmware_t domain.
192
193
194       Paths:
195            /opt/vmware/(workstation|player)/bin/vmware, /opt/vmware/(worksta‐
196            tion|player)/bin/vmware-ping,                /opt/vmware/(worksta‐
197            tion|player)/bin/vmware-wizard, /usr/bin/vmware,  /usr/bin/vmware-
198            ping,       /usr/bin/vmware-wizard,      /usr/sbin/vmware-serverd,
199            /usr/lib/vmware/bin/vmplayer,       /usr/lib/vmware/bin/vmware-ui,
200            /usr/lib/vmware/bin/vmware-mks
201
202
203       vmware_file_t
204
205       - Set files with the vmware_file_t type, if you want to treat the files
206       as vmware content.
207
208
209       Paths:
210            /home/[^/]+/vmware(/.*)?, /home/[^/]+/.vmware(/.*)?
211
212
213       vmware_host_exec_t
214
215       - Set files with the vmware_host_exec_t type, if you want to transition
216       an executable to the vmware_host_t domain.
217
218
219       Paths:
220            /opt/vmware/(workstation|player)/bin/vmnet-natd,
221            /opt/vmware/(workstation|player)/bin/vmnet-dhcpd,
222            /opt/vmware/(workstation|player)/bin/vmware-nmbd,
223            /opt/vmware/(workstation|player)/bin/vmware-smbd,
224            /opt/vmware/(workstation|player)/bin/vmnet-bridge,
225            /opt/vmware/(workstation|player)/bin/vmnet-netifup,
226            /opt/vmware/(workstation|player)/bin/vmnet-sniffer,
227            /opt/vmware/(workstation|player)/bin/vmware-smbpasswd,
228            /opt/vmware/(workstation|player)/bin/vmware-smbpasswd.bin,
229            /usr/sbin/vmware-guest.*,   /usr/lib/vmware-tools/sbin32/vmware.*,
230            /usr/lib/vmware-tools/sbin64/vmware.*,        /usr/bin/vmnet-natd,
231            /usr/bin/vmware-vmx,  /usr/bin/vmnet-dhcpd,  /usr/bin/vmware-nmbd,
232            /usr/bin/vmware-smbd,  /usr/bin/vmnet-bridge, /usr/bin/vmnet-neti‐
233            fup,       /usr/bin/vmnet-sniffer,        /usr/bin/vmware-network,
234            /usr/bin/vmware-smbpasswd,          /usr/bin/vmware-smbpasswd.bin,
235            /usr/lib/vmware/bin/vmware-vmx
236
237
238       vmware_host_pid_t
239
240       - Set files with the vmware_host_pid_t type, if you want to  store  the
241       vmware host files under the /run directory.
242
243
244       Paths:
245            /var/run/vmnat.*, /var/run/vmnet.*, /var/run/vmware.*
246
247
248       vmware_host_tmp_t
249
250       -  Set  files  with  the  vmware_host_tmp_t  type, if you want to store
251       vmware host temporary files in the /tmp directories.
252
253
254
255       vmware_log_t
256
257       - Set files with the vmware_log_t type, if you want to treat  the  data
258       as vmware log data, usually stored under the /var/log directory.
259
260
261       Paths:
262            /var/log/vmware.*, /var/log/vnetlib.*
263
264
265       vmware_pid_t
266
267       - Set files with the vmware_pid_t type, if you want to store the vmware
268       files under the /run directory.
269
270
271
272       vmware_sys_conf_t
273
274       - Set files with the vmware_sys_conf_t type, if you want to  treat  the
275       files  as  vmware sys configuration data, usually stored under the /etc
276       directory.
277
278
279       Paths:
280            /etc/vmware.*(/.*)?, /usr/lib/vmware/config
281
282
283       vmware_tmp_t
284
285       - Set files with the vmware_tmp_t type, if you  want  to  store  vmware
286       temporary files in the /tmp directories.
287
288
289
290       vmware_tmpfs_t
291
292       -  Set  files with the vmware_tmpfs_t type, if you want to store vmware
293       files on a tmpfs file system.
294
295
296
297       Note: File context can be temporarily modified with the chcon  command.
298       If  you want to permanently change the file context you need to use the
299       semanage fcontext command.  This will modify the SELinux labeling data‐
300       base.  You will need to use restorecon to apply the labels.
301
302

COMMANDS

304       semanage  fcontext  can also be used to manipulate default file context
305       mappings.
306
307       semanage permissive can also be used to manipulate  whether  or  not  a
308       process type is permissive.
309
310       semanage  module can also be used to enable/disable/install/remove pol‐
311       icy modules.
312
313       semanage boolean can also be used to manipulate the booleans
314
315
316       system-config-selinux is a GUI tool available to customize SELinux pol‐
317       icy settings.
318
319

AUTHOR

321       This manual page was auto-generated using sepolicy manpage .
322
323