b90d40db67
Signed-off-by: Kenton Groombridge <me@concord.sh>
167 lines
3.5 KiB
Plaintext
167 lines
3.5 KiB
Plaintext
## <summary>Run Windows programs in Linux.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Role access for wine.
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## User domain for the role.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`wine_role',`
|
|
gen_require(`
|
|
attribute_role wine_roles;
|
|
type wine_exec_t, wine_t, wine_tmp_t;
|
|
type wine_home_t;
|
|
')
|
|
|
|
roleattribute $1 wine_roles;
|
|
|
|
domtrans_pattern($2, wine_exec_t, wine_t)
|
|
|
|
allow wine_t $2:unix_stream_socket connectto;
|
|
allow wine_t $2:process signull;
|
|
|
|
ps_process_pattern($2, wine_t)
|
|
allow $2 wine_t:process { ptrace signal_perms };
|
|
|
|
allow $2 wine_t:fd use;
|
|
allow $2 wine_t:shm { associate getattr };
|
|
allow $2 wine_t:shm rw_shm_perms;
|
|
allow $2 wine_t:unix_stream_socket connectto;
|
|
|
|
allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms };
|
|
allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine")
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## The role template for the wine module.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## This template creates a derived domains which are used
|
|
## for wine applications.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="role_prefix">
|
|
## <summary>
|
|
## The prefix of the user domain (e.g., user
|
|
## is the prefix for user_t).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_role">
|
|
## <summary>
|
|
## The role associated with the user domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## The type of the user domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`wine_role_template',`
|
|
gen_require(`
|
|
type wine_exec_t;
|
|
')
|
|
|
|
type $1_wine_t;
|
|
userdom_user_application_domain($1_wine_t, wine_exec_t)
|
|
role $2 types $1_wine_t;
|
|
|
|
allow $1_wine_t self:process { execmem execstack };
|
|
|
|
allow $3 $1_wine_t:process { ptrace noatsecure signal_perms };
|
|
ps_process_pattern($3, $1_wine_t)
|
|
|
|
domtrans_pattern($3, wine_exec_t, $1_wine_t)
|
|
|
|
corecmd_bin_domtrans($1_wine_t, $3)
|
|
|
|
userdom_manage_user_tmpfs_files($1_wine_t)
|
|
|
|
domain_mmap_low($1_wine_t)
|
|
|
|
tunable_policy(`wine_mmap_zero_ignore',`
|
|
dontaudit $1_wine_t self:memprotect mmap_zero;
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_role($1, $1_wine_t, $1_application_exec_domain, $1_r)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the wine program in the wine domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`wine_domtrans',`
|
|
gen_require(`
|
|
type wine_t, wine_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, wine_exec_t, wine_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute wine in the wine domain,
|
|
## and allow the specified role
|
|
## the wine domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`wine_run',`
|
|
gen_require(`
|
|
attribute_role wine_roles;
|
|
')
|
|
|
|
wine_domtrans($1)
|
|
roleattribute $2 wine_roles;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write wine Shared
|
|
## memory segments.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`wine_rw_shm',`
|
|
gen_require(`
|
|
type wine_t;
|
|
')
|
|
|
|
allow $1 wine_t:shm rw_shm_perms;
|
|
')
|