http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_wine.patch
Picasa ships wine execs.
wine changes fro domain_mmap_low
On 06/02/10 16:16, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_wine.patch
>
> Picasa ships wine execs.
>
> wine changes fro domain_mmap_low
This last part confuses me. I thought mmap_low was intrinsically
required for wine. Neglecting that question, there seems to be an error
in the .if:
> + tunable_policy(`wine_mmap_zero_ignore',`
> + allow $1_wine_t self:memprotect mmap_zero;
> + ')
Shouldn't this be dontaudited?
This doesn't seem to make sense. Aren't the subject and object
reversed? Also it seems odd, since wine is running Windows programs,
which wouldn't really inherit things from the Linux environment:
> + # Unrestricted inheritance from the caller.
> + allow $2 wine_t:process { noatsecure siginh rlimitinh };
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/06/2010 11:42 AM, Christopher J. PeBenito wrote:
> On 06/02/10 16:16, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_wine.patch
>>
>> Picasa ships wine execs.
>>
>> wine changes fro domain_mmap_low
>
> This last part confuses me. I thought mmap_low was intrinsically
> required for wine. Neglecting that question, there seems to be an error
> in the .if:
>
It is only required by wine if you run old DOS 16 bit apps or badly
written ones. Newer Windows apps should not require this.
>> + tunable_policy(`wine_mmap_zero_ignore',`
>> + allow $1_wine_t self:memprotect mmap_zero;
>> + ')
>
> Shouldn't this be dontaudited?
>
Yes.
> This doesn't seem to make sense. Aren't the subject and object
> reversed? Also it seems odd, since wine is running Windows programs,
> which wouldn't really inherit things from the Linux environment:
>
>> + # Unrestricted inheritance from the caller.
>> + allow $2 wine_t:process { noatsecure siginh rlimitinh };
>
>
I have no idea why this was added. I guess we can remove it and see if
it is rereported.