[selinux-policy: 2416/3172] Wine patch from Dan Walsh.

Thu Oct 7 22:34:24 UTC 2010

commit 4796d07ee0005f6b43ac49f52ae1400c2120c25d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Feb 19 09:17:51 2010 -0500

    Wine patch from Dan Walsh.

 policy/modules/apps/wine.fc |   23 ++++++++-
 policy/modules/apps/wine.if |  110 +++++++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/wine.te |   34 +++++++++++--
 3 files changed, 158 insertions(+), 9 deletions(-)
---

diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index ad8a476..9d24449 100644
--- a/policy/modules/apps/wine.fc
+++ b/policy/modules/apps/wine.fc
@@ -1,4 +1,21 @@
-/usr/bin/wine			--	gen_context(system_u:object_r:wine_exec_t,s0)
+HOME_DIR/cxoffice/bin/wine.+	--	gen_context(system_u:object_r:wine_exec_t,s0)
 
-/opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/cxoffice/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/google/picasa(/.*)?/bin/msiexec --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/notepad --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/progman --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regedit --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wdi --	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wine.* --	gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/picasa/wine/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
+
+/usr/bin/msiexec		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.*			--	gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 7a99209..bdc0762 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -1,5 +1,115 @@
 ## <summary>Wine Is Not an Emulator.  Run Windows programs in Linux.</summary>
 
+#######################################
+## <summary>
+##	The per role template for the wine module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for wine applications.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`wine_role',`
+	gen_require(`
+		type wine_exec_t;
+	')
+
+	role $1 types wine_t;
+
+	domain_auto_trans($2, wine_exec_t, wine_t)
+	allow wine_t $2:fd use;
+	allow wine_t $2:process { sigchld signull };
+	allow wine_t $2:unix_stream_socket connectto;
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, wine_t)
+	allow $2 wine_t:process signal_perms;
+
+	allow $2 wine_t:fd use;
+	allow $2 wine_t:shm { associate getattr };
+	allow $2 wine_t:shm { unix_read unix_write };
+	allow $2 wine_t:unix_stream_socket connectto;
+
+	# X access, Home files
+	manage_dirs_pattern($2, wine_home_t, wine_home_t)
+	manage_files_pattern($2, wine_home_t, wine_home_t)
+	manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
+	relabel_dirs_pattern($2, wine_home_t, wine_home_t)
+	relabel_files_pattern($2, wine_home_t, wine_home_t)
+	relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+')
+
+#######################################
+## <summary>
+##	The role template for the wine module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for wine applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`wine_role_template',`
+	gen_require(`
+		type wine_exec_t;
+	')
+
+	type $1_wine_t;
+	domain_type($1_wine_t)
+	domain_entry_file($1_wine_t, wine_exec_t)
+	ubac_constrained($1_wine_t)
+	role $2 types $1_wine_t;
+
+	allow $1_wine_t self:process { execmem execstack };
+	allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
+	domtrans_pattern($3, wine_exec_t, $1_wine_t)
+	corecmd_bin_domtrans($1_wine_t, $1_t)
+
+	userdom_unpriv_usertype($1, $1_wine_t)
+	userdom_manage_tmpfs_role($2, $1_wine_t)
+
+	domain_mmap_low($1_wine_t)
+
+	optional_policy(`
+		xserver_role($1_r, $1_wine_t)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute the wine program in the wine domain.
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index d7d9720..a56e730 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -1,5 +1,5 @@
 
-policy_module(wine, 1.6.0)
+policy_module(wine, 1.6.1)
 
 ########################################
 #
@@ -9,20 +9,42 @@ policy_module(wine, 1.6.0)
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
+ubac_constrained(wine_t)
+role system_r types wine_t;
+
+type wine_tmp_t;
+files_tmp_file(wine_tmp_t)
+ubac_constrained(wine_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
+allow wine_t self:process { execstack execmem execheap };
+allow wine_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(wine_t, wine_exec_t)
+
+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+
+domain_mmap_low(wine_t)
+
+files_execmod_all_files(wine_t)
+
 userdom_use_user_terminals(wine_t)
 
 optional_policy(`
-	allow wine_t self:process { execstack execmem execheap };
+	hal_dbus_chat(wine_t)
+')
+
+optional_policy(`
 	unconfined_domain_noaudit(wine_t)
-	files_execmod_all_files(wine_t)
+')
 
- 	optional_policy(`
- 		hal_dbus_chat(wine_t)
- 	')
+optional_policy(`
+	xserver_read_xdm_pid(wine_t)
+	xserver_rw_shm(wine_t)
 ')
