diff options
Diffstat (limited to 'policy/modules/apps/wine.if')
-rw-r--r-- | policy/modules/apps/wine.if | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if new file mode 100644 index 000000000..2dba62164 --- /dev/null +++ b/policy/modules/apps/wine.if @@ -0,0 +1,166 @@ +## <summary>Run Windows programs in Linux.</summary> + +######################################## +## <summary> +## Role access for wine. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`wine_role',` + gen_require(` + attribute_role wine_roles; + type wine_exec_t, wine_t, wine_tmp_t; + type wine_home_t; + ') + + roleattribute $1 wine_roles; + + domtrans_pattern($2, wine_exec_t, wine_t) + + allow wine_t $2:unix_stream_socket connectto; + allow wine_t $2:process signull; + + ps_process_pattern($2, wine_t) + allow $2 wine_t:process { ptrace signal_perms }; + + allow $2 wine_t:fd use; + allow $2 wine_t:shm { associate getattr }; + allow $2 wine_t:shm rw_shm_perms; + allow $2 wine_t:unix_stream_socket connectto; + + allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; + allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine") +') + +####################################### +## <summary> +## The role template for the wine module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for wine applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`wine_role_template',` + gen_require(` + type wine_exec_t; + ') + + type $1_wine_t; + userdom_user_application_domain($1_wine_t, wine_exec_t) + role $2 types $1_wine_t; + + allow $1_wine_t self:process { execmem execstack }; + + allow $3 $1_wine_t:process { ptrace noatsecure signal_perms }; + ps_process_pattern($3, $1_wine_t) + + domtrans_pattern($3, wine_exec_t, $1_wine_t) + + corecmd_bin_domtrans($1_wine_t, $3) + + userdom_manage_user_tmpfs_files($1_wine_t) + + domain_mmap_low($1_wine_t) + + tunable_policy(`wine_mmap_zero_ignore',` + dontaudit $1_wine_t self:memprotect mmap_zero; + ') + + optional_policy(` + xserver_role($1_r, $1_wine_t) + ') +') + +######################################## +## <summary> +## Execute the wine program in the wine domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`wine_domtrans',` + gen_require(` + type wine_t, wine_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wine_exec_t, wine_t) +') + +######################################## +## <summary> +## Execute wine in the wine domain, +## and allow the specified role +## the wine domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`wine_run',` + gen_require(` + attribute_role wine_roles; + ') + + wine_domtrans($1) + roleattribute $2 wine_roles; +') + +######################################## +## <summary> +## Read and write wine Shared +## memory segments. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wine_rw_shm',` + gen_require(` + type wine_t; + ') + + allow $1 wine_t:shm rw_shm_perms; +') |