From e51048a4e8409923505f141a1f06ff42c3880087 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jun 06 2006 17:51:24 +0000 Subject: fix execmod all files rule in wine --- diff --git a/refpolicy/policy/modules/apps/wine.te b/refpolicy/policy/modules/apps/wine.te index 21ac5b4..b9cda46 100644 --- a/refpolicy/policy/modules/apps/wine.te +++ b/refpolicy/policy/modules/apps/wine.te @@ -1,5 +1,5 @@ -policy_module(wine,1.1.0) +policy_module(wine,1.1.1) ######################################## # @@ -20,6 +20,5 @@ domain_entry_file(wine_t,wine_exec_t) ifdef(`targeted_policy',` allow wine_t self:process { execstack execmem }; unconfined_domain_noaudit(wine_t) - role system_r types wine_t; - allow wine_t file_type:file execmod; + files_execmod_all_files(wine_t) ') diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 1ec9f57..bae6158 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -452,6 +452,37 @@ interface(`files_read_all_files',` ######################################## ## +## Allow shared library text relocations in all files. +## +## +##

+## Allow shared library text relocations in all files. +##

+##

+## This is added to support WINE in the targeted +## policy. It has no effect on the strict policy. +##

+## +## +## +## Domain allowed access. +## +## +# +interface(`files_execmod_all_files',` + ifdef(`targeted_policy',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:file execmod; + ',` + errprint(__file__:__line__:` $0($1) has no effect in strict policy.'__endline__) + ') +') + +######################################## +## ## Read all non-security files. ## ## diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index 6a362d6..942046a 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.9) +policy_module(files,1.2.10) ######################################## #