[selinux-policy: 2416/3172] Wine patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:34:24 UTC 2010
commit 4796d07ee0005f6b43ac49f52ae1400c2120c25d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Feb 19 09:17:51 2010 -0500
Wine patch from Dan Walsh.
policy/modules/apps/wine.fc | 23 ++++++++-
policy/modules/apps/wine.if | 110 +++++++++++++++++++++++++++++++++++++++++++
policy/modules/apps/wine.te | 34 +++++++++++--
3 files changed, 158 insertions(+), 9 deletions(-)
---
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index ad8a476..9d24449 100644
--- a/policy/modules/apps/wine.fc
+++ b/policy/modules/apps/wine.fc
@@ -1,4 +1,21 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 7a99209..bdc0762 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -1,5 +1,115 @@
## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
+#######################################
+## <summary>
+## The per role template for the wine module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`wine_role',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ role $1 types wine_t;
+
+ domain_auto_trans($2, wine_exec_t, wine_t)
+ allow wine_t $2:fd use;
+ allow wine_t $2:process { sigchld signull };
+ allow wine_t $2:unix_stream_socket connectto;
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, wine_t)
+ allow $2 wine_t:process signal_perms;
+
+ allow $2 wine_t:fd use;
+ allow $2 wine_t:shm { associate getattr };
+ allow $2 wine_t:shm { unix_read unix_write };
+ allow $2 wine_t:unix_stream_socket connectto;
+
+ # X access, Home files
+ manage_dirs_pattern($2, wine_home_t, wine_home_t)
+ manage_files_pattern($2, wine_home_t, wine_home_t)
+ manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_dirs_pattern($2, wine_home_t, wine_home_t)
+ relabel_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+')
+
+#######################################
+## <summary>
+## The role template for the wine module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`wine_role_template',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ type $1_wine_t;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t, wine_exec_t)
+ ubac_constrained($1_wine_t)
+ role $2 types $1_wine_t;
+
+ allow $1_wine_t self:process { execmem execstack };
+ allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
+ domtrans_pattern($3, wine_exec_t, $1_wine_t)
+ corecmd_bin_domtrans($1_wine_t, $1_t)
+
+ userdom_unpriv_usertype($1, $1_wine_t)
+ userdom_manage_tmpfs_role($2, $1_wine_t)
+
+ domain_mmap_low($1_wine_t)
+
+ optional_policy(`
+ xserver_role($1_r, $1_wine_t)
+ ')
+')
+
########################################
## <summary>
## Execute the wine program in the wine domain.
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index d7d9720..a56e730 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -1,5 +1,5 @@
-policy_module(wine, 1.6.0)
+policy_module(wine, 1.6.1)
########################################
#
@@ -9,20 +9,42 @@ policy_module(wine, 1.6.0)
type wine_t;
type wine_exec_t;
application_domain(wine_t, wine_exec_t)
+ubac_constrained(wine_t)
+role system_r types wine_t;
+
+type wine_tmp_t;
+files_tmp_file(wine_tmp_t)
+ubac_constrained(wine_tmp_t)
########################################
#
# Local policy
#
+allow wine_t self:process { execstack execmem execheap };
+allow wine_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(wine_t, wine_exec_t)
+
+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+
+domain_mmap_low(wine_t)
+
+files_execmod_all_files(wine_t)
+
userdom_use_user_terminals(wine_t)
optional_policy(`
- allow wine_t self:process { execstack execmem execheap };
+ hal_dbus_chat(wine_t)
+')
+
+optional_policy(`
unconfined_domain_noaudit(wine_t)
- files_execmod_all_files(wine_t)
+')
- optional_policy(`
- hal_dbus_chat(wine_t)
- ')
+optional_policy(`
+ xserver_read_xdm_pid(wine_t)
+ xserver_rw_shm(wine_t)
')
More information about the scm-commits
mailing list