From: Stefan Schantl Date: Sat, 14 Jan 2012 19:14:36 +0000 (+0100) Subject: Remove module for wine. X-Git-Tag: 001~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43d7d6fd3646ef559cd751b04ca36daff696f214;p=people%2Fstevee%2Fselinux-policy.git Remove module for wine. --- diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc deleted file mode 100644 index 2666317e..00000000 --- a/policy/modules/apps/wine.fc +++ /dev/null @@ -1,23 +0,0 @@ -HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if deleted file mode 100644 index 00a98f17..00000000 --- a/policy/modules/apps/wine.if +++ /dev/null @@ -1,186 +0,0 @@ -## Wine Is Not an Emulator. Run Windows programs in Linux. - -####################################### -## -## The per role template for the wine module. -## -## -##

-## This template creates a derived domains which are used -## for wine applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. -## -## -# -template(`wine_role',` - gen_require(` - type wine_t; - type wine_home_t; - type wine_exec_t; - ') - - role $1 types wine_t; - - domain_auto_trans($2, wine_exec_t, wine_t) - # Unrestricted inheritance from the caller. - allow $2 wine_t:process { noatsecure siginh rlimitinh }; - allow wine_t $2:fd use; - allow wine_t $2:process { sigchld signull }; - allow wine_t $2:unix_stream_socket connectto; - - # Allow the user domain to signal/ps. - ps_process_pattern($2, wine_t) - allow $2 wine_t:process signal_perms; - - allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr unix_read unix_write }; - allow $2 wine_t:unix_stream_socket connectto; - - # X access, Home files - manage_dirs_pattern($2, wine_home_t, wine_home_t) - manage_files_pattern($2, wine_home_t, wine_home_t) - manage_lnk_files_pattern($2, wine_home_t, wine_home_t) - relabel_dirs_pattern($2, wine_home_t, wine_home_t) - relabel_files_pattern($2, wine_home_t, wine_home_t) - relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) -') - -####################################### -## -## The role template for the wine module. -## -## -##

-## This template creates a derived domains which are used -## for wine applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`wine_role_template',` - gen_require(` - type wine_t; - type wine_exec_t; - ') - - type $1_wine_t; - domain_type($1_wine_t) - domain_entry_file($1_wine_t, wine_exec_t) - ubac_constrained($1_wine_t) - role $2 types $1_wine_t; - - allow $1_wine_t self:process { execmem execstack }; - allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; - domtrans_pattern($3, wine_exec_t, $1_wine_t) - corecmd_bin_domtrans($1_wine_t, $1_t) - - userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_tmpfs_role($2, $1_wine_t) - - domain_mmap_low($1_wine_t) - - tunable_policy(`wine_mmap_zero_ignore',` - dontaudit $1_wine_t self:memprotect mmap_zero; - ') - - tunable_policy(`wine_mmap_zero_ignore',` - dontaudit $1_wine_t self:memprotect mmap_zero; - ') - - optional_policy(` - xserver_role($1_r, $1_wine_t) - ') -') - -######################################## -## -## Execute the wine program in the wine domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wine_domtrans',` - gen_require(` - type wine_t, wine_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wine_exec_t, wine_t) -') - -######################################## -## -## Execute wine in the wine domain, and -## allow the specified role the wine domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`wine_run',` - gen_require(` - type wine_t; - ') - - wine_domtrans($1) - role $2 types wine_t; -') - -######################################## -## -## Read and write wine Shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# -interface(`wine_rw_shm',` - gen_require(` - type wine_t; - ') - - allow $1 wine_t:shm rw_shm_perms; -') diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te deleted file mode 100644 index e3de8fa4..00000000 --- a/policy/modules/apps/wine.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(wine, 1.8.1) - -######################################## -# -# Declarations -# - -## -##

-## Ignore wine mmap_zero errors. -##

-## -gen_tunable(wine_mmap_zero_ignore, false) - -type wine_t; -type wine_exec_t; -application_domain(wine_t, wine_exec_t) -ubac_constrained(wine_t) -role system_r types wine_t; - -type wine_tmp_t; -files_tmp_file(wine_tmp_t) -ubac_constrained(wine_tmp_t) - -######################################## -# -# Local policy -# - -allow wine_t self:process { execstack execmem execheap }; -allow wine_t self:fifo_file manage_fifo_file_perms; - -can_exec(wine_t, wine_exec_t) - -manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) -manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) - -domain_mmap_low(wine_t) - -files_execmod_all_files(wine_t) - -userdom_use_inherited_user_terminals(wine_t) - -tunable_policy(`wine_mmap_zero_ignore',` - dontaudit wine_t self:memprotect mmap_zero; -') - -optional_policy(` - hal_dbus_chat(wine_t) -') - -optional_policy(` - policykit_dbus_chat(wine_t) -') - -optional_policy(` - unconfined_domain(wine_t) -') - -optional_policy(` - xserver_read_xdm_pid(wine_t) - xserver_rw_shm(wine_t) -') diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te index 226a9b54..60577c70 100644 --- a/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te @@ -328,10 +328,6 @@ optional_policy(` webalizer_run(unconfined_t, unconfined_r) ') -optional_policy(` - wine_run(unconfined_t, unconfined_r) -') - optional_policy(` xserver_run(unconfined_t, unconfined_r) xserver_manage_home_fonts(unconfined_t) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 91fc3eee..49cd5831 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1147,10 +1147,6 @@ optional_policy(` userhelper_search_config(xserver_t) ') -optional_policy(` - wine_rw_shm(xserver_t) -') - optional_policy(` xfs_stream_connect(xserver_t) ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index a957a6c0..b110540c 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -89,7 +89,6 @@ ifdef(`distro_redhat',` /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -159,7 +158,6 @@ ifdef(`distro_redhat',` /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/usr/(local/)?lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index db35b2e9..481781fe 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1261,10 +1261,6 @@ template(`userdom_unpriv_user_template', ` mount_read_pid_files($1_t) ') - optional_policy(` - wine_role_template($1, $1_r, $1_t) - ') - optional_policy(` postfix_run_postdrop($1_t, $1_r) postfix_search_spool($1_t)