From 3e9671590658182287c662dd537a842b119ad5ee Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 25 Jan 2020 16:34:07 +0100
Subject: [PATCH] Associate role unconfined_r to wine_t

When an unconfined user runs wine, there is an issue because
wine_domtrans() causes a transition to unconfined_u:unconfined_r:wine_t
without unconfined_r being associated with wine_t:

    type=SELINUX_ERR msg=audit(1579963774.148:1047):
    op=security_compute_sid
    invalid_context="unconfined_u:unconfined_r:wine_t"
    scontext=unconfined_u:unconfined_r:wine_t
    tcontext=system_u:object_r:wine_exec_t tclass=process

This is fixed with "roleattribute unconfined_r wine_roles;", which is
provided by interface wine_run().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/system/unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 331994d9f..9ad2ded8c 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -223,7 +223,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	wine_domtrans(unconfined_t)
+	wine_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`