#
# Policy rules for vmsyslog Daemon
#

-c inet_dgram_socket_create grant
-c inet_stream_socket_create grant
-c unix_socket_create grant
-c unix_dgram_socket_bind grant
-c unix_dgram_socket_connect grant
-c unix_stream_socket_bind grant
-c unix_stream_socket_connect grant
-c unix_vmklink_socket_connect grant

-p unix_dgram_socket_bind /dev/auditlog grant
-p unix_dgram_socket_bind /dev/log grant
-p unix_dgram_socket_bind /dev/vmwSyslog grant
-p unix_stream_socket_connect /var/run/nscd/socket grant
-p inet_socket_connect nonloopback grant
-p inet_socket_bind 514 grant
-p inet_socket_bind 8514  grant # port used for ESXio to ESXi communication
-p unix_stream_socket_connect /var/run/vmware/vobd-user-ctx.sock grant
-p unix_stream_socket_connect vmwLocalSocketAuthentication revoke
-p unix_stream_socket_bind vmwLocalSocketAuthentication revoke

-r / rw
-r /bin rx
-r /dev # deny everything in dev except the ones below
-r /dev/auditlog rw
-r /dev/char/mem/klog r
-r /dev/char/mem/null w
-r /dev/char/vmkdriver/urandom r
-r /dev/log rw
-r /dev/vmwSyslog rw
-r /etc r
-r /etc/vmware rw # /etc/vmware/esx.conf.LOCK and /etc/vmware/esx.conf.LOCK.pid
-r /lib # deny lib
-r /lib64 rx
-r /tmp rw
-r /usr # deny everything in usr except for the ones below
-r /usr/lib rx
-r /usr/lib64/ rx
-r /var # deny everything in var except for the ones below
-r /var/tmp rw
-r /var/log rw
-r /var/run rw
-r /var/run/gfx # deny gfx
-r /vmfs rw


-s genericSys grant
-s ioctlSys grant
-s vsiReadSys grant
-s vsiWriteSys grant
-s forkSys grant
-s execSys grant
-s cloneSys grant
-s openSys grant
-s mprotectSys grant
