[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     1dea46140374ccd2b67ed5daf6563e5917df519c
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 22:44:14 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dea4614

wine: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/wine.if | 58 +++++++++++++++++++++++++++++----------------
 1 file changed, 37 insertions(+), 21 deletions(-)

diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 25e09d6e..2050167d 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -4,18 +4,29 @@
 ## <summary>
 ##     Role access for wine.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##     <summary>
-##     Role allowed access.
+##     The prefix of the user role (e.g., user
+##     is the prefix for user_r).
 ##     </summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##     <summary>
 ##     User domain for the role.
 ##     </summary>
 ## </param>
+## <param name="user_exec_domain">
+##     <summary>
+##     User exec domain for execute and transition access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access
+##     </summary>
+## </param>
 #
-interface(`wine_role',`
+template(`wine_role',`
        gen_require(`
                attribute_role wine_roles;
                type wine_exec_t, wine_t, wine_tmp_t;
@@ -24,18 +35,18 @@ interface(`wine_role',`
 
        roleattribute $1 wine_roles;
 
-       domtrans_pattern($2, wine_exec_t, wine_t)
+       domtrans_pattern($3, wine_exec_t, wine_t)
 
-       allow wine_t $2:unix_stream_socket connectto;
-       allow wine_t $2:process signull;
+       allow wine_t $3:unix_stream_socket connectto;
+       allow wine_t $3:process signull;
 
-       ps_process_pattern($2, wine_t)
-       allow $2 wine_t:process { ptrace signal_perms };
+       ps_process_pattern($3, wine_t)
+       allow $3 wine_t:process { ptrace signal_perms };
 
-       allow $2 wine_t:fd use;
-       allow $2 wine_t:shm { associate getattr };
-       allow $2 wine_t:shm rw_shm_perms;
-       allow $2 wine_t:unix_stream_socket connectto;
+       allow $3 wine_t:fd use;
+       allow $3 wine_t:shm { associate getattr };
+       allow $3 wine_t:shm rw_shm_perms;
+       allow $3 wine_t:unix_stream_socket connectto;
 
        allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms 
relabel_dir_perms };
        allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms 
relabel_file_perms };
@@ -55,18 +66,23 @@ interface(`wine_role',`
 ## </desc>
 ## <param name="role_prefix">
 ##     <summary>
-##     The prefix of the user domain (e.g., user
-##     is the prefix for user_t).
+##     The prefix of the user role (e.g., user
+##     is the prefix for user_r).
 ##     </summary>
 ## </param>
-## <param name="user_role">
+## <param name="user_domain">
 ##     <summary>
-##     The role associated with the user domain.
+##     User domain for the role.
 ##     </summary>
 ## </param>
-## <param name="user_domain">
+## <param name="user_exec_domain">
+##     <summary>
+##     User exec domain for execute and transition access.
+##     </summary>
+## </param>
+## <param name="role">
 ##     <summary>
-##     The type of the user domain.
+##     Role allowed access
 ##     </summary>
 ## </param>
 #
@@ -86,7 +102,7 @@ template(`wine_role_template',`
 
        domtrans_pattern($3, wine_exec_t, $1_wine_t)
 
-       corecmd_bin_domtrans($1_wine_t, $3)
+       corecmd_bin_domtrans($1_wine_t, $2)
 
        userdom_manage_user_tmpfs_files($1_wine_t)
 
@@ -97,7 +113,7 @@ template(`wine_role_template',`
        ')
 
        optional_policy(`
-               xserver_role($1, $1_wine_t, $1_application_exec_domain, $1_r)
+               xserver_role($1, $1_wine_t, $3, $4)
        ')
 ')