From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 06 Jul 2010 11:42:35 -0400
Subject: [refpolicy] apps_wine.patch
In-Reply-To: <4C06BC1F.5010806@redhat.com>
References: <4C06BC1F.5010806@redhat.com>
Message-ID: <4C334EEB.3090507@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/02/10 16:16, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_wine.patch
>
> Picasa ships wine execs.
>
> wine changes fro domain_mmap_low

This last part confuses me.  I thought mmap_low was intrinsically 
required for wine.  Neglecting that question, there seems to be an error 
in the .if:

> +	tunable_policy(`wine_mmap_zero_ignore',`
> +		allow $1_wine_t self:memprotect mmap_zero;
> +	')

Shouldn't this be dontaudited?

This doesn't seem to make sense.  Aren't the subject and object 
reversed?  Also it seems odd, since wine is running Windows programs, 
which wouldn't really inherit things from the Linux environment:

> +	# Unrestricted inheritance from the caller.
> +	allow $2 wine_t:process { noatsecure siginh rlimitinh };


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com