Add support for open-vm-tools

node=localhost type=AVC msg=audit(1732592552.733:8660): avc:  denied  { create } for  pid=1006 comm="vmtoolsd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=vsock_socket permissive=0
node=localhost type=AVC msg=audit(1732592232.142:477): avc:  denied  { create } for  pid=1005 comm="VGAuthService" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=vsock_socket permissive=0
node=localhost type=AVC msg=audit(1732592232.516:506): avc:  denied  { read write } for  pid=1006 comm="vmtoolsd" name="card0" dev="devtmpfs" ino=275 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
node=localhost type=AVC msg=audit(1732592232.194:479): avc:  denied  { create } for  pid=1005 comm="VGAuthService" name="vmware" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>

policy/modules/apps/vmware.fc

@@ -4,23 +4,37 @@ HOME_DIR/vmware(/.*)?	gen_context(system_u:object_r:vmware_file_t,s0)
 
 /etc/vmware.*(/.*)?	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
 
+/usr/bin/VGAuthService	--	gen_context(system_u:object_r:vmware_vgauth_service_exec_t,s0)
+/usr/bin/vmtoolsd		--	gen_context(system_u:object_r:vmware_tools_exec_t,s0)
+
 /usr/bin/vmnet-bridge	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmnet-dhcpd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmnet-natd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmnet-netifup	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmnet-sniffer	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-alias-import	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-checkvm	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware-guest.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-hgfsclient	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-namespace-cmd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware-network	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-nmbd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-ping	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-rpctool	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware-smbd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-toolbox-cmd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-vgauth-cmd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware-vmx	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-wizard	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-xferlogs	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 
+/usr/lib/systemd/system/vgauthd\.service	--	gen_context(system_u:object_r:vmware_unit_t,s0)
+/usr/lib/systemd/system/vmtoolsd\.service	--	gen_context(system_u:object_r:vmware_unit_t,s0)
+
 /usr/lib/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
 /usr/lib/vmware/bin/vmplayer	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)

policy/modules/apps/vmware.if

@@ -71,6 +71,25 @@ interface(`vmware_exec_host',`
 	can_exec($1, vmware_host_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute vmware guest executables
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_exec_guest',`
+	gen_require(`
+		type vmware_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, vmware_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Read vmware system configuration files.

policy/modules/apps/vmware.te

@@ -42,6 +42,24 @@ userdom_user_tmp_file(vmware_tmp_t)
 type vmware_tmpfs_t;
 userdom_user_tmpfs_file(vmware_tmpfs_t)
 
+type vmware_tools_t;
+type vmware_tools_exec_t;
+init_daemon_domain(vmware_tools_t, vmware_tools_exec_t)
+
+type vmware_tools_tmp_t;
+userdom_user_tmp_file(vmware_tools_tmp_t)
+
+type vmware_unit_t;
+init_unit_file(vmware_unit_t)
+
+type vmware_var_lib_t;
+files_type(vmware_var_lib_t)
+
+type vmware_vgauth_service_t;
+type vmware_vgauth_service_exec_t;
+init_daemon_domain(vmware_vgauth_service_t, vmware_vgauth_service_exec_t)
+
+
 optional_policy(`
 	wm_application_domain(vmware_t, vmware_exec_t)
 ')
@@ -257,3 +275,96 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_files(vmware_t)
 	fs_manage_cifs_symlinks(vmware_t)
 ')
+
+
+########################################
+#
+# Guest vmware-tools local policy
+#
+
+allow vmware_tools_t self:capability { net_admin net_bind_service sys_admin sys_time };
+allow vmware_tools_t self:fifo_file rw_inherited_fifo_file_perms;
+allow vmware_tools_t self:netlink_route_socket { create rw_netlink_socket_perms };
+allow vmware_tools_t self:process { getsched setsched };
+allow vmware_tools_t self:udp_socket create_socket_perms;
+allow vmware_tools_t self:unix_dgram_socket create_socket_perms;
+allow vmware_tools_t self:unix_stream_socket create_socket_perms;
+allow vmware_tools_t self:vsock_socket create_socket_perms;
+
+append_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t)
+create_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t)
+rename_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t)
+setattr_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t)
+logging_log_filetrans(vmware_tools_t, vmware_log_t, file)
+
+allow vmware_tools_t vmware_tools_tmp_t:dir { create_dir_perms delete_dir_perms };
+manage_files_pattern(vmware_tools_t, vmware_tools_tmp_t, vmware_tools_tmp_t)
+files_tmp_filetrans(vmware_tools_t, vmware_tools_tmp_t, { file dir })
+
+vmware_exec_guest(vmware_tools_t)
+
+corecmd_exec_bin(vmware_tools_t)
+corecmd_exec_shell(vmware_tools_t)
+
+dev_read_sysfs(vmware_tools_t)
+dev_read_vsock(vmware_tools_t)
+dev_rw_dri(vmware_tools_t)
+dev_rw_vmware(vmware_tools_t)
+
+files_read_etc_files(vmware_tools_t)
+files_read_usr_files(vmware_tools_t)
+files_search_var_lib(vmware_tools_t)
+
+fs_getattr_xattr_fs(vmware_tools_t)
+
+kernel_read_network_state(vmware_tools_t)
+kernel_read_system_state(vmware_tools_t)
+kernel_request_load_module(vmware_tools_t)
+
+dbus_system_bus_client(vmware_tools_t)
+
+init_read_state(vmware_tools_t)
+
+logging_send_syslog_msg(vmware_tools_t)
+
+miscfiles_read_localization(vmware_tools_t)
+
+systemd_dbus_chat_logind(vmware_tools_t)
+
+udev_read_runtime_files(vmware_tools_t)
+
+########################################
+#
+# Guest VGAuthService local policy
+#
+
+allow vmware_vgauth_service_t self:fifo_file rw_inherited_fifo_file_perms;
+allow vmware_vgauth_service_t self:unix_dgram_socket create_socket_perms;
+allow vmware_vgauth_service_t self:unix_stream_socket create_stream_socket_perms;
+allow vmware_vgauth_service_t self:vsock_socket create_socket_perms;
+
+append_files_pattern(vmware_vgauth_service_t, vmware_log_t, vmware_log_t)
+create_files_pattern(vmware_vgauth_service_t, vmware_log_t, vmware_log_t)
+setattr_files_pattern(vmware_vgauth_service_t, vmware_log_t, vmware_log_t)
+logging_log_filetrans(vmware_vgauth_service_t, vmware_log_t, file)
+
+create_dirs_pattern(vmware_vgauth_service_t, vmware_var_run_t, vmware_var_run_t)
+manage_files_pattern(vmware_vgauth_service_t, vmware_var_run_t, vmware_var_run_t)
+manage_sock_files_pattern(vmware_vgauth_service_t, vmware_var_run_t, vmware_var_run_t)
+files_runtime_filetrans(vmware_vgauth_service_t, vmware_var_run_t, { dir file sock_file })
+
+create_dirs_pattern(vmware_vgauth_service_t, vmware_var_lib_t, vmware_var_lib_t)
+manage_files_pattern(vmware_vgauth_service_t, vmware_var_lib_t, vmware_var_lib_t)
+files_var_lib_filetrans(vmware_vgauth_service_t, vmware_var_lib_t, dir, "vmware")
+
+corecmd_read_bin_files(vmware_vgauth_service_t)
+
+files_read_etc_files(vmware_vgauth_service_t)
+files_read_usr_files(vmware_vgauth_service_t)
+
+kernel_request_load_module(vmware_vgauth_service_t)
+
+logging_send_syslog_msg(vmware_vgauth_service_t)
+
+miscfiles_read_generic_certs(vmware_vgauth_service_t)
+miscfiles_read_localization(vmware_vgauth_service_t)

policy/modules/kernel/devices.fc

@@ -149,6 +149,7 @@ ifdef(`distro_suse', `
 /dev/vhost-scsi		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vhost-vsock        -c      gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vmci			-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)