[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 31 Oct 2012 18:11:51
Message-Id:	`1351706800.73600f7dad522a0d5fca9a68d3d32e51e05b4a23.SwifT@gentoo`

1

commit:     73600f7dad522a0d5fca9a68d3d32e51e05b4a23

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Wed Oct 31 10:37:22 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Oct 31 18:06:40 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73600f7d

7

8

Changes to the wine policy module

9

10

Ported from Fedora with changes

11

12

Role attribute for wine_t

13

14

Cleaned up a bit but this module needs to be revisited

15

16

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

17

18

---

19

 policy/modules/contrib/wine.fc |   31 +++++++++-------

20

 policy/modules/contrib/wine.if |   77 +++++++++++++++++-----------------------

21

 policy/modules/contrib/wine.te |   32 +++++++++++++----

22

 3 files changed, 75 insertions(+), 65 deletions(-)

23

24

diff --git a/policy/modules/contrib/wine.fc b/policy/modules/contrib/wine.fc

25

index 9d24449..786a51e 100644

26

--- a/policy/modules/contrib/wine.fc

27

+++ b/policy/modules/contrib/wine.fc

28

@@ -1,21 +1,24 @@

29

+HOME_DIR/\.wine(/.*)?	gen_context(system_u:object_r:wine_home_t,s0)

30

 HOME_DIR/cxoffice/bin/wine.+	--	gen_context(system_u:object_r:wine_exec_t,s0)

31

32

 /opt/cxoffice/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)

33

34

-/opt/google/picasa(/.*)?/bin/msiexec --	gen_context(system_u:object_r:wine_exec_t,s0)

35

-/opt/google/picasa(/.*)?/bin/notepad --	gen_context(system_u:object_r:wine_exec_t,s0)

36

-/opt/google/picasa(/.*)?/bin/progman --	gen_context(system_u:object_r:wine_exec_t,s0)

37

-/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)

38

-/opt/google/picasa(/.*)?/bin/regedit --	gen_context(system_u:object_r:wine_exec_t,s0)

39

-/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)

40

-/opt/google/picasa(/.*)?/bin/wdi --	gen_context(system_u:object_r:wine_exec_t,s0)

41

-/opt/google/picasa(/.*)?/bin/wine.* --	gen_context(system_u:object_r:wine_exec_t,s0)

42

+/opt/google/picasa(/.*)?/Picasa3/.*exe	--	gen_context(system_u:object_r:wine_exec_t,s0)

43

+/opt/google/picasa(/.*)?/bin/msiexec	--	gen_context(system_u:object_r:wine_exec_t,s0)

44

+/opt/google/picasa(/.*)?/bin/notepad	--	gen_context(system_u:object_r:wine_exec_t,s0)

45

+/opt/google/picasa(/.*)?/bin/progman	--	gen_context(system_u:object_r:wine_exec_t,s0)

46

+/opt/google/picasa(/.*)?/bin/regsvr32	--	gen_context(system_u:object_r:wine_exec_t,s0)

47

+/opt/google/picasa(/.*)?/bin/regedit	--	gen_context(system_u:object_r:wine_exec_t,s0)

48

+/opt/google/picasa(/.*)?/bin/uninstaller	--	gen_context(system_u:object_r:wine_exec_t,s0)

49

+/opt/google/picasa(/.*)?/bin/wdi	--	gen_context(system_u:object_r:wine_exec_t,s0)

50

+/opt/google/picasa(/.*)?/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)

51

+/opt/teamviewer(/.*)?/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)

52

53

 /opt/picasa/wine/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)

54

55

-/usr/bin/msiexec		--	gen_context(system_u:object_r:wine_exec_t,s0)

56

-/usr/bin/notepad		--	gen_context(system_u:object_r:wine_exec_t,s0)

57

-/usr/bin/regsvr32		--	gen_context(system_u:object_r:wine_exec_t,s0)

58

-/usr/bin/regedit		--	gen_context(system_u:object_r:wine_exec_t,s0)

59

-/usr/bin/uninstaller		--	gen_context(system_u:object_r:wine_exec_t,s0)

60

-/usr/bin/wine.*			--	gen_context(system_u:object_r:wine_exec_t,s0)

61

+/usr/bin/msiexec	--	gen_context(system_u:object_r:wine_exec_t,s0)

62

+/usr/bin/notepad	--	gen_context(system_u:object_r:wine_exec_t,s0)

63

+/usr/bin/regsvr32	--	gen_context(system_u:object_r:wine_exec_t,s0)

64

+/usr/bin/regedit	--	gen_context(system_u:object_r:wine_exec_t,s0)

65

+/usr/bin/uninstaller	--	gen_context(system_u:object_r:wine_exec_t,s0)

66

+/usr/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)

67

68

diff --git a/policy/modules/contrib/wine.if b/policy/modules/contrib/wine.if

69

index f9a73d0..fd2b6cc 100644

70

--- a/policy/modules/contrib/wine.if

71

+++ b/policy/modules/contrib/wine.if

72

@@ -1,60 +1,46 @@

73

-## <summary>Wine Is Not an Emulator.  Run Windows programs in Linux.</summary>

74

+## <summary>Run Windows programs in Linux.</summary>

75

76

-#######################################

77

+########################################

78

 ## <summary>

79

-##	The per role template for the wine module.

80

+##	Role access for wine.

81

 ## </summary>

82

-## <desc>

83

-##	<p>

84

-##	This template creates a derived domains which are used

85

-##	for wine applications.

86

-##	</p>

87

-## </desc>

88

-## <param name="userdomain_prefix">

89

-##	<summary>

90

-##	The prefix of the user domain (e.g., user

91

-##	is the prefix for user_t).

92

-##	</summary>

93

-## </param>

94

-## <param name="user_domain">

95

+## <param name="role">

96

 ##	<summary>

97

-##	The type of the user domain.

98

+##	Role allowed access.

99

 ##	</summary>

100

 ## </param>

101

-## <param name="user_role">

102

+## <param name="domain">

103

 ##	<summary>

104

-##	The role associated with the user domain.

105

+##	User domain for the role.

106

 ##	</summary>

107

 ## </param>

108

#

109

-template(`wine_role',`

110

+interface(`wine_role',`

111

 	gen_require(`

112

-		type wine_exec_t;

113

+		attribute_role wine_roles;

114

+		type wine_exec_t, wine_t, wine_tmp_t;

115

+		type wine_home_t;

116

')

117

118

-	role $1 types wine_t;

119

+	roleattribute $1 wine_roles;

120

+

121

+	domtrans_pattern($2, wine_exec_t, wine_t)

122

123

-	domain_auto_trans($2, wine_exec_t, wine_t)

124

-	allow wine_t $2:fd use;

125

-	allow wine_t $2:process { sigchld signull };

126

 	allow wine_t $2:unix_stream_socket connectto;

127

+	allow wine_t $2:process signull;

128

129

-	# Allow the user domain to signal/ps.

130

 	ps_process_pattern($2, wine_t)

131

-	allow $2 wine_t:process signal_perms;

132

+	allow $2 wine_t:process { ptrace signal_perms };

133

134

 	allow $2 wine_t:fd use;

135

 	allow $2 wine_t:shm { associate getattr };

136

-	allow $2 wine_t:shm { unix_read unix_write };

137

+	allow $2 wine_t:shm rw_shm_perms;

138

 	allow $2 wine_t:unix_stream_socket connectto;

139

140

-	# X access, Home files

141

-	manage_dirs_pattern($2, wine_home_t, wine_home_t)

142

-	manage_files_pattern($2, wine_home_t, wine_home_t)

143

-	manage_lnk_files_pattern($2, wine_home_t, wine_home_t)

144

-	relabel_dirs_pattern($2, wine_home_t, wine_home_t)

145

-	relabel_files_pattern($2, wine_home_t, wine_home_t)

146

-	relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)

147

+	allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms };

148

+	allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms };

149

+	allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

150

+	userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine")

151

')

152

153

 #######################################

154

@@ -90,15 +76,17 @@ template(`wine_role_template',`

155

')

156

157

 	type $1_wine_t;

158

-	domain_type($1_wine_t)

159

-	domain_entry_file($1_wine_t, wine_exec_t)

160

-	ubac_constrained($1_wine_t)

161

+	userdom_user_application_domain($1_wine_t, wine_exec_t)

162

 	role $2 types $1_wine_t;

163

164

 	allow $1_wine_t self:process { execmem execstack };

165

-	allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };

166

+

167

+	allow $3 $1_wine_t:process { ptrace noatsecure signal_perms };

168

+	ps_process_pattern($3, $1_wine_t)

169

+

170

 	domtrans_pattern($3, wine_exec_t, $1_wine_t)

171

-	corecmd_bin_domtrans($1_wine_t, $1_t)

172

+

173

+	corecmd_bin_domtrans($1_wine_t, $3)

174

175

 	userdom_unpriv_usertype($1, $1_wine_t)

176

 	userdom_manage_user_tmpfs_files($1_wine_t)

177

@@ -135,8 +123,9 @@ interface(`wine_domtrans',`

178

179

 ########################################

180

 ## <summary>

181

-##	Execute wine in the wine domain, and

182

-##	allow the specified role the wine domain.

183

+##	Execute wine in the wine domain,

184

+##	and allow the specified role

185

+##	the wine domain.

186

 ## </summary>

187

 ## <param name="domain">

188

 ##	<summary>

189

@@ -151,11 +140,11 @@ interface(`wine_domtrans',`

190

#

191

 interface(`wine_run',`

192

 	gen_require(`

193

-		type wine_t;

194

+		attribute_role wine_roles;

195

')

196

197

 	wine_domtrans($1)

198

-	role $2 types wine_t;

199

+	roleattribute $2 wine_roles;

200

')

201

202

 ########################################

203

204

diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te

205

index 7a17516..b51923c 100644

206

--- a/policy/modules/contrib/wine.te

207

+++ b/policy/modules/contrib/wine.te

208

@@ -1,4 +1,4 @@

209

-policy_module(wine, 1.10.0)

210

+policy_module(wine, 1.10.1)

211

212

 ########################################

213

#

214

@@ -6,16 +6,24 @@ policy_module(wine, 1.10.0)

215

#

216

217

 ## <desc>

218

-## <p>

219

-##	Ignore wine mmap_zero errors.

220

-## </p>

221

+##	<p>

222

+##	Determine whether attempts by

223

+##	wine to mmap low regions should

224

+##	be silently blocked.

225

+##	</p>

226

 ## </desc>

227

 gen_tunable(wine_mmap_zero_ignore, false)

228

229

+attribute_role wine_roles;

230

+roleattribute system_r wine_roles;

231

+

232

 type wine_t;

233

 type wine_exec_t;

234

 userdom_user_application_domain(wine_t, wine_exec_t)

235

-role system_r types wine_t;

236

+role wine_roles types wine_t;

237

+

238

+type wine_home_t;

239

+userdom_user_home_content(wine_home_t)

240

241

 type wine_tmp_t;

242

 userdom_user_tmp_file(wine_tmp_t)

243

@@ -30,6 +38,8 @@ allow wine_t self:fifo_file manage_fifo_file_perms;

244

245

 can_exec(wine_t, wine_exec_t)

246

247

+userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")

248

+

249

 manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)

250

 manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)

251

 files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })

252

@@ -45,11 +55,19 @@ tunable_policy(`wine_mmap_zero_ignore',`

253

')

254

255

 optional_policy(`

256

-	hal_dbus_chat(wine_t)

257

+	dbus_system_bus_client(wine_t)

258

+

259

+	optional_policy(`

260

+		hal_dbus_chat(wine_t)

261

+	')

262

+

263

+	optional_policy(`

264

+		policykit_dbus_chat(wine_t)

265

+	')

266

')

267

268

 optional_policy(`

269

-	policykit_dbus_chat(wine_t)

270

+	rtkit_scheduled(wine_t)

271

')

272

273

 optional_policy(`

1	commit: 73600f7dad522a0d5fca9a68d3d32e51e05b4a23
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Wed Oct 31 10:37:22 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Oct 31 18:06:40 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73600f7d
7
8	Changes to the wine policy module
9
10	Ported from Fedora with changes
11
12	Role attribute for wine_t
13
14	Cleaned up a bit but this module needs to be revisited
15
16	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
17
18	---
19	policy/modules/contrib/wine.fc \| 31 +++++++++-------
20	policy/modules/contrib/wine.if \| 77 +++++++++++++++++-----------------------
21	policy/modules/contrib/wine.te \| 32 +++++++++++++----
22	3 files changed, 75 insertions(+), 65 deletions(-)
23
24	diff --git a/policy/modules/contrib/wine.fc b/policy/modules/contrib/wine.fc
25	index 9d24449..786a51e 100644
26	--- a/policy/modules/contrib/wine.fc
27	+++ b/policy/modules/contrib/wine.fc
28	@@ -1,21 +1,24 @@
29	+HOME_DIR/\.wine(/.*)? gen_context(system_u:object_r:wine_home_t,s0)
30	HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
31
32	/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
33
34	-/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
35	-/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
36	-/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
37	-/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
38	-/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
39	-/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
40	-/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
41	-/opt/google/picasa(/.)?/bin/wine. -- gen_context(system_u:object_r:wine_exec_t,s0)
42	+/opt/google/picasa(/.)?/Picasa3/.exe -- gen_context(system_u:object_r:wine_exec_t,s0)
43	+/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
44	+/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
45	+/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
46	+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
47	+/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
48	+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
49	+/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
50	+/opt/google/picasa(/.)?/bin/wine. -- gen_context(system_u:object_r:wine_exec_t,s0)
51	+/opt/teamviewer(/.)?/bin/wine. -- gen_context(system_u:object_r:wine_exec_t,s0)
52
53	/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
54
55	-/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
56	-/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
57	-/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
58	-/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
59	-/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
60	-/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
61	+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
62	+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
63	+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
64	+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
65	+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
66	+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
67
68	diff --git a/policy/modules/contrib/wine.if b/policy/modules/contrib/wine.if
69	index f9a73d0..fd2b6cc 100644
70	--- a/policy/modules/contrib/wine.if
71	+++ b/policy/modules/contrib/wine.if
72	@@ -1,60 +1,46 @@
73	-## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
74	+## <summary>Run Windows programs in Linux.</summary>
75
76	-#######################################
77	+########################################
78	## <summary>
79	-## The per role template for the wine module.
80	+## Role access for wine.
81	## </summary>
82	-## <desc>
83	-## <p>
84	-## This template creates a derived domains which are used
85	-## for wine applications.
86	-## </p>
87	-## </desc>
88	-## <param name="userdomain_prefix">
89	-## <summary>
90	-## The prefix of the user domain (e.g., user
91	-## is the prefix for user_t).
92	-## </summary>
93	-## </param>
94	-## <param name="user_domain">
95	+## <param name="role">
96	## <summary>
97	-## The type of the user domain.
98	+## Role allowed access.
99	## </summary>
100	## </param>
101	-## <param name="user_role">
102	+## <param name="domain">
103	## <summary>
104	-## The role associated with the user domain.
105	+## User domain for the role.
106	## </summary>
107	## </param>
108	#
109	-template(`wine_role',`
110	+interface(`wine_role',`
111	gen_require(`
112	- type wine_exec_t;
113	+ attribute_role wine_roles;
114	+ type wine_exec_t, wine_t, wine_tmp_t;
115	+ type wine_home_t;
116	')
117
118	- role $1 types wine_t;
119	+ roleattribute $1 wine_roles;
120	+
121	+ domtrans_pattern($2, wine_exec_t, wine_t)
122
123	- domain_auto_trans($2, wine_exec_t, wine_t)
124	- allow wine_t $2:fd use;
125	- allow wine_t $2:process { sigchld signull };
126	allow wine_t $2:unix_stream_socket connectto;
127	+ allow wine_t $2:process signull;
128
129	- # Allow the user domain to signal/ps.
130	ps_process_pattern($2, wine_t)
131	- allow $2 wine_t:process signal_perms;
132	+ allow $2 wine_t:process { ptrace signal_perms };
133
134	allow $2 wine_t:fd use;
135	allow $2 wine_t:shm { associate getattr };
136	- allow $2 wine_t:shm { unix_read unix_write };
137	+ allow $2 wine_t:shm rw_shm_perms;
138	allow $2 wine_t:unix_stream_socket connectto;
139
140	- # X access, Home files
141	- manage_dirs_pattern($2, wine_home_t, wine_home_t)
142	- manage_files_pattern($2, wine_home_t, wine_home_t)
143	- manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
144	- relabel_dirs_pattern($2, wine_home_t, wine_home_t)
145	- relabel_files_pattern($2, wine_home_t, wine_home_t)
146	- relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
147	+ allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms };
148	+ allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms };
149	+ allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
150	+ userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine")
151	')
152
153	#######################################
154	@@ -90,15 +76,17 @@ template(`wine_role_template',`
155	')
156
157	type $1_wine_t;
158	- domain_type($1_wine_t)
159	- domain_entry_file($1_wine_t, wine_exec_t)
160	- ubac_constrained($1_wine_t)
161	+ userdom_user_application_domain($1_wine_t, wine_exec_t)
162	role $2 types $1_wine_t;
163
164	allow $1_wine_t self:process { execmem execstack };
165	- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
166	+
167	+ allow $3 $1_wine_t:process { ptrace noatsecure signal_perms };
168	+ ps_process_pattern($3, $1_wine_t)
169	+
170	domtrans_pattern($3, wine_exec_t, $1_wine_t)
171	- corecmd_bin_domtrans($1_wine_t, $1_t)
172	+
173	+ corecmd_bin_domtrans($1_wine_t, $3)
174
175	userdom_unpriv_usertype($1, $1_wine_t)
176	userdom_manage_user_tmpfs_files($1_wine_t)
177	@@ -135,8 +123,9 @@ interface(`wine_domtrans',`
178
179	########################################
180	## <summary>
181	-## Execute wine in the wine domain, and
182	-## allow the specified role the wine domain.
183	+## Execute wine in the wine domain,
184	+## and allow the specified role
185	+## the wine domain.
186	## </summary>
187	## <param name="domain">
188	## <summary>
189	@@ -151,11 +140,11 @@ interface(`wine_domtrans',`
190	#
191	interface(`wine_run',`
192	gen_require(`
193	- type wine_t;
194	+ attribute_role wine_roles;
195	')
196
197	wine_domtrans($1)
198	- role $2 types wine_t;
199	+ roleattribute $2 wine_roles;
200	')
201
202	########################################
203
204	diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
205	index 7a17516..b51923c 100644
206	--- a/policy/modules/contrib/wine.te
207	+++ b/policy/modules/contrib/wine.te
208	@@ -1,4 +1,4 @@
209	-policy_module(wine, 1.10.0)
210	+policy_module(wine, 1.10.1)
211
212	########################################
213	#
214	@@ -6,16 +6,24 @@ policy_module(wine, 1.10.0)
215	#
216
217	## <desc>
218	-## <p>
219	-## Ignore wine mmap_zero errors.
220	-## </p>
221	+## <p>
222	+## Determine whether attempts by
223	+## wine to mmap low regions should
224	+## be silently blocked.
225	+## </p>
226	## </desc>
227	gen_tunable(wine_mmap_zero_ignore, false)
228
229	+attribute_role wine_roles;
230	+roleattribute system_r wine_roles;
231	+
232	type wine_t;
233	type wine_exec_t;
234	userdom_user_application_domain(wine_t, wine_exec_t)
235	-role system_r types wine_t;
236	+role wine_roles types wine_t;
237	+
238	+type wine_home_t;
239	+userdom_user_home_content(wine_home_t)
240
241	type wine_tmp_t;
242	userdom_user_tmp_file(wine_tmp_t)
243	@@ -30,6 +38,8 @@ allow wine_t self:fifo_file manage_fifo_file_perms;
244
245	can_exec(wine_t, wine_exec_t)
246
247	+userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
248	+
249	manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
250	manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
251	files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
252	@@ -45,11 +55,19 @@ tunable_policy(`wine_mmap_zero_ignore',`
253	')
254
255	optional_policy(`
256	- hal_dbus_chat(wine_t)
257	+ dbus_system_bus_client(wine_t)
258	+
259	+ optional_policy(`
260	+ hal_dbus_chat(wine_t)
261	+ ')
262	+
263	+ optional_policy(`
264	+ policykit_dbus_chat(wine_t)
265	+ ')
266	')
267
268	optional_policy(`
269	- policykit_dbus_chat(wine_t)
270	+ rtkit_scheduled(wine_t)
271	')
272
273	optional_policy(`

Gentoo Archives: gentoo-commits