# Security Domain for esxcfg-init invoked from
# backup.sh running in entropydDom

-c opaque_net_connect revoke
-c unix_dgram_socket_bind revoke
-c unix_dgram_socket_connect revoke
-c unix_stream_socket_bind revoke
-c unix_stream_socket_connect revoke
-c unix_vmklink_socket_connect revoke

-r /
-r /bin/esxcfg-init rx
-r /etc/localtime r
-r /etc/vmware w #esx.conf.LOCK.PID
# we need only esx.conf.LOCK.PID and esx.conf
# and a two vsphereFeatures files
# deny everything else in /etc/vmware
-r /etc/vmware/BootbankFunctions.sh
-r /etc/vmware/ah-trees.conf
-r /etc/vmware/autodeploy
-r /etc/vmware/config
-r /etc/vmware/configrules
-r /etc/vmware/configstore
-r /etc/vmware/cpservices
-r /etc/vmware/cpservices.d
-r /etc/vmware/default-config
-r /etc/vmware/default.map.d
-r /etc/vmware/defaultconfigrules
-r /etc/vmware/devel-host.conf
-r /etc/vmware/dpd.conf
-r /etc/vmware/dvsdata.db
-r /etc/vmware/dvxspecs.conf
-r /etc/vmware/encryption.info
-r /etc/vmware/envoy
-r /etc/vmware/fallback.map.d
-r /etc/vmware/firewall
-r /etc/vmware/gstored
-r /etc/vmware/hostd
-r /etc/vmware/hostparam.conf
-r /etc/vmware/hostspec
-r /etc/vmware/icu
-r /etc/vmware/ihv.map.d
-r /etc/vmware/infravisor
-r /etc/vmware/iofilters
-r /etc/vmware/license.cfg
-r /etc/vmware/logfilters
-r /etc/vmware/oem.map.d
-r /etc/vmware/passthru.map
-r /etc/vmware/pci.ids
-r /etc/vmware/pciid
-r /etc/vmware/rhttpproxy
-r /etc/vmware/schemastore
-r /etc/vmware/secpolicy
-r /etc/vmware/service
-r /etc/vmware/settings
-r /etc/vmware/snmp.xml
-r /etc/vmware/snmp_boots.txt
-r /etc/vmware/ssl
-r /etc/vmware/stats
-r /etc/vmware/stats.d
-r /etc/vmware/support
-r /etc/vmware/svga_caps.cache
-r /etc/vmware/system_fips
-r /etc/vmware/tpm
-r /etc/vmware/usb.ids
-r /etc/vmware/usbarb.rules
-r /etc/vmware/vltd.conf
-r /etc/vmware/vm-support
-r /etc/vmware/vmfs
-r /etc/vmware/vmkiscsid
-r /etc/vmware/vmwauth
-r /etc/vmware/vsan
-r /etc/vmware/vsphereFeatures
-r /etc/vmware/vvold
-r /etc/vmware/weasel
-r /etc/vmware/vsphereFeatures/techPreview.cfg r
-r /etc/vmware/vsphereFeatures/vsphereFeatures.cfg r
-r /lib64 x
-r /usr/lib64 x

-s genericSys grant
-s vsiReadSys grant
-s openSys grant
-s mprotectSys grant
-s vobSys grant
-s vsiWriteSys grant
