From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 12 Jul 2010 10:22:30 -0400
Subject: [refpolicy] apps_wine.patch
In-Reply-To: <4C334EEB.3090507@tresys.com>
References: <4C06BC1F.5010806@redhat.com> <4C334EEB.3090507@tresys.com>
Message-ID: <4C3B2526.4030706@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/06/2010 11:42 AM, Christopher J. PeBenito wrote:
> On 06/02/10 16:16, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_wine.patch
>>
>> Picasa ships wine execs.
>>
>> wine changes fro domain_mmap_low
> 
> This last part confuses me.  I thought mmap_low was intrinsically
> required for wine.  Neglecting that question, there seems to be an error
> in the .if:
> 
It is only required by wine if you run old DOS 16 bit apps or badly
written ones. Newer Windows apps should not require this.
>> +    tunable_policy(`wine_mmap_zero_ignore',`
>> +        allow $1_wine_t self:memprotect mmap_zero;
>> +    ')
> 
> Shouldn't this be dontaudited?
> 
Yes.
> This doesn't seem to make sense.  Aren't the subject and object
> reversed?  Also it seems odd, since wine is running Windows programs,
> which wouldn't really inherit things from the Linux environment:
> 
>> +    # Unrestricted inheritance from the caller.
>> +    allow $2 wine_t:process { noatsecure siginh rlimitinh };
> 
> 

I have no idea why this was added.   I guess we can remove it and see if
it is rereported.