ESXi uses daemon sandboxing as a means of access control between Userworlds(hostd, vpxa, etc.) and Objects(Files, directories, network sockets, etc.)

Secpolicytools helps you list and tweak the security policies that are defiend under each domain(daemon sandbox)

[root@esx01:~] secpolicytools -h
Usage: secpolicytools <options> 
   -r|--reset                                Reset all policy rules.
   -p|--load-policy[policy dir]              Load a predefined policy.
                                             A default dir of /etc/vmware/secpolicy
                                             will be used.
   -d|--display-policy                       Display the current policy.
   -D|--lookup-domain <label>                Lookup the value of a domain label.
   -O|--lookup-object <label>                Lookup the value of an object label.
   -l|--list-labels                          List all valid domains and objects 
   -k|--keywords                             List all policy keywords.
   -g|--get-label <file>                     Get the object label for a file.
   -s|--set-label <file> -L|--label <label>  Set the object label for a file.
   -T|--set-tag <string> -L|--label <label>  Add VMCI service access to privileged VM with label.
   -N|--new-dom <label>                      Create domain for privileged VM with label.
   -C|--del-dom <label>                      Delete domain for privileged VM with label.
   -h|--help                                 Show this message.
   There are additional options in esxcli system secpolicy.

You can list all defined domains using the commands esxcli system secpolicy domain list or secpolicytools -l

[root@esx01:~] esxcli system secpolicy domain list
Domain Name             Enforcement Level
----------------------  -----------------
superDom                enforcing
regularVMDom            enforcing
appDom                  enforcing
daemonFrameworkDom      enforcing
globalVMDom             enforcing
ioFilterDom             enforcing
muxDom                  enforcing
ntpdDom                 enforcing
pluginDom               enforcing
pluginFrameworkDom      enforcing
ptpdDom                 enforcing
sfcbPluginFrameworkDom  enforcing
sfcbVmwPluginDom        enforcing
slpdDom                 enforcing
snmpdDom                enforcing
tpm2emuDom              enforcing
vmwpluginDom            enforcing
wsmandDom               enforcing
cfgagentDom             enforcing
nestdbDom               enforcing
hostd311                enforcing
hostd343                enforcing
hostd345                enforcing
hostd350                enforcing
hostd356                enforcing
hostd358                enforcing
hostd359                enforcing
hostd365                enforcing
hostd370                enforcing
hostd373                enforcing
hostd375                enforcing
hostd376                enforcing
hostd383                enforcing
hostd384                enforcing
hostd304                enforcing

[root@esx01:~] secpolicytools -l
Valid Object Labels
appObj    3117
authObj    3119
certObj    3120
cimObj    3113
muxObj    3112
pluginObj    3114
secpolicyObj    3111
sfcbVmwPluginObj    3116
sslKeyObj    3118
tardiskMountObj    3121
tpm2emuObj    3122
unlabeled    0
vmwpluginObj    3115
Valid domains
0   superDom
1   regularVMDom
2   appDom
3   daemonFrameworkDom
4   globalVMDom
5   ioFilterDom
6   muxDom
7   ntpdDom
8   pluginDom
9   pluginFrameworkDom
10   ptpdDom
11   sfcbPluginFrameworkDom
12   sfcbVmwPluginDom
13   slpdDom
14   snmpdDom
15   tpm2emuDom
16   vmwpluginDom
17   wsmandDom
18   cfgagentDom
19   nestdbDom
27   hostd311
44   hostd343
46   hostd345
49   hostd350
50   hostd356
52   hostd358
53   hostd359
57   hostd365
62   hostd370
65   hostd373
67   hostd375
68   hostd376
75   hostd383
76   hostd384
78   hostd304

To review specific policies that are defiend for a specific domain you will have to use the commands secpolicytools -D DOMAINand secpolicytools -dVALUE

[root@esx01:~] secpolicytools -D globalVMDom
[root@esx01:~] secpolicytools -d4
Policy set in the kernel

Domain Name: globalVMDom Domain ID :4 Enforcement Level: enforcing
State: 3 RefCount: 2 WorldRefCount: 0
-c dgram_vsocket_bind grant
-c dgram_vsocket_create grant
-c dgram_vsocket_send grant
-c dgram_vsocket_trusted grant
-c inet_dgram_socket_create grant
-c inet_stream_socket_create grant
-c stream_vsocket_bind grant
-c stream_vsocket_connect grant
-c stream_vsocket_create grant
-c stream_vsocket_trusted grant
-c unix_dgram_socket_bind grant
-c unix_socket_create grant
-c unix_stream_socket_bind grant
-c vsocket_provide_service grant

-d tpm2emuObj tpm2emuDom file_exec grant

-p inet_socket_bind all grant
-p inet_socket_connect loopback grant
-p inet_socket_connect nonloopback grant

-r /usr/share/certs r
-r /tools r
-r /bin/remoteDeviceConnect rx
-r /bin/vmx rx
-r /tmp rw
-r /vmimages r
-r /bin/tpm2emu rx
-r /dev/cbt rw
-r /var/run rw
-r /dev/char rw
-r /dev/upit rw
-r /var/lock rw
-r /dev/vdfm rw
-r /dev/deltadisks rw
-r /lib rx
-r /usr/libexec rx
-r /usr/share/nvidia r
-r /lib64 rx
-r /bin/vmx-stats rx
-r /dev/vvol rw
-r /dev/PMemDisk rw
-r /usr/lib64 rx
-r /dev/vflash rw
-r /usr/lib rx
-r /etc r
-r /dev/vsan rw
-r /dev/svm rw
-r /var/run/vmware-hostd-ticket 
-r /var/run/inetd.conf 
-r /.vmware r
-r /dev/vsansparse rw
-r /bin/vmx-debug rx

So, why did i go digging into secpolicytools on ESXi?

We had a VMware Tools upgrade failure, that reported an IO Error when accessing the tools iso file on the esxi host.

2021-10-05T04:43:53.966Z| vmx| | I005: ToolsISO: Failed to open Tools ISO /vmfs/volumes/5d3fb5c5-3146d212-4263-8030e03bdef0/productLocker/vmtools/windows.iso (FileIOResult=2).
2021-10-05T04:43:53.966Z| vmx| | I005: Cannot open ISO image with upgrader binaries.
2021-10-05T04:43:53.966Z| vmx| | I005: TOOLS INSTALL entering IDLE state.

VMware tools ISO images are saved in /productLocker. The productLocker volume was on a external device. In the example above /vmfs/volumes/5d3fb5c5-3146d212-4263-8030e03bdef0/productLocker/ The VMs were unable to access the ISO files as there was no policy defined for the external productLocker path!

To resolve the issue

  1. Ensure /productLocker is symmlinked to the correct path
  2. Migrate/poweroff VMs on the host
  3. Run the command secpolicytools -p . This will rebuild all the policies based on the config files from `/etc/vmware/secpolicy``
  4. Migrate VMs back or power on the VMs.