* [refpolicy] apps_wine.patch
@ 2009-03-05 16:19 Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2009-03-05 16:19 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_wine.patch
Additional file context for wine apps
wine mmap low memory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmv+5UACgkQrlYvE4MpobMlDwCfRGg/NoDA+tsx+b89mtPLaUvg
rR0Anjqcj9HkiAoiX4uEb6C5nOYRQaER
=eSAe
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] apps_wine.patch
@ 2010-08-26 22:44 Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:44 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_wine.patch
Add label for wine_home
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx27jMACgkQrlYvE4MpobPGMwCgib83shOnjBTxZG39+6YKqBcI
vMYAmwbZFSLToP9QoUXhtkzLBbxdyvEb
=7pVK
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] apps_wine.patch
2010-07-06 15:42 ` Christopher J. PeBenito
@ 2010-07-12 14:22 ` Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2010-07-12 14:22 UTC (permalink / raw)
To: refpolicy
On 07/06/2010 11:42 AM, Christopher J. PeBenito wrote:
> On 06/02/10 16:16, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_wine.patch
>>
>> Picasa ships wine execs.
>>
>> wine changes fro domain_mmap_low
>
> This last part confuses me. I thought mmap_low was intrinsically
> required for wine. Neglecting that question, there seems to be an error
> in the .if:
>
It is only required by wine if you run old DOS 16 bit apps or badly
written ones. Newer Windows apps should not require this.
>> + tunable_policy(`wine_mmap_zero_ignore',`
>> + allow $1_wine_t self:memprotect mmap_zero;
>> + ')
>
> Shouldn't this be dontaudited?
>
Yes.
> This doesn't seem to make sense. Aren't the subject and object
> reversed? Also it seems odd, since wine is running Windows programs,
> which wouldn't really inherit things from the Linux environment:
>
>> + # Unrestricted inheritance from the caller.
>> + allow $2 wine_t:process { noatsecure siginh rlimitinh };
>
>
I have no idea why this was added. I guess we can remove it and see if
it is rereported.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] apps_wine.patch
2010-06-02 20:16 Daniel J Walsh
@ 2010-07-06 15:42 ` Christopher J. PeBenito
2010-07-12 14:22 ` Daniel J Walsh
0 siblings, 1 reply; 10+ messages in thread
From: Christopher J. PeBenito @ 2010-07-06 15:42 UTC (permalink / raw)
To: refpolicy
On 06/02/10 16:16, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_wine.patch
>
> Picasa ships wine execs.
>
> wine changes fro domain_mmap_low
This last part confuses me. I thought mmap_low was intrinsically
required for wine. Neglecting that question, there seems to be an error
in the .if:
> + tunable_policy(`wine_mmap_zero_ignore',`
> + allow $1_wine_t self:memprotect mmap_zero;
> + ')
Shouldn't this be dontaudited?
This doesn't seem to make sense. Aren't the subject and object
reversed? Also it seems odd, since wine is running Windows programs,
which wouldn't really inherit things from the Linux environment:
> + # Unrestricted inheritance from the caller.
> + allow $2 wine_t:process { noatsecure siginh rlimitinh };
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] apps_wine.patch
@ 2010-06-02 20:16 Daniel J Walsh
2010-07-06 15:42 ` Christopher J. PeBenito
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:16 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_wine.patch
Picasa ships wine execs.
wine changes fro domain_mmap_low
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] apps_wine.patch
2009-11-12 20:55 Daniel J Walsh
@ 2010-02-19 14:18 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2010-02-19 14:18 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-11-12 at 15:55 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/apps_wine.patch
>
> Latest wine policy to be used with confined domains.
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] apps_wine.patch
@ 2009-11-12 20:55 Daniel J Walsh
2010-02-19 14:18 ` Christopher J. PeBenito
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2009-11-12 20:55 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/apps_wine.patch
Latest wine policy to be used with confined domains.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] apps_wine.patch
@ 2009-08-28 20:18 Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2009-08-28 20:18 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/apps_wine.patch
Lots of new paths for wine, As well as some new allow rules.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] apps_wine.patch
@ 2009-05-21 15:11 Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2009-05-21 15:11 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_wine.patch
Wine policy see java, mono, execmem.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] apps_wine.patch
@ 2009-03-24 13:22 Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2009-03-24 13:22 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_wine.patch
Lots of new file context for wine. Need to make sure all hard links
have same file context
Added wine role interface
wine uses domain_mmap_log
wine interacts with the xserver
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2010-08-26 22:44 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-03-05 16:19 [refpolicy] apps_wine.patch Daniel J Walsh
2009-03-24 13:22 Daniel J Walsh
2009-05-21 15:11 Daniel J Walsh
2009-08-28 20:18 Daniel J Walsh
2009-11-12 20:55 Daniel J Walsh
2010-02-19 14:18 ` Christopher J. PeBenito
2010-06-02 20:16 Daniel J Walsh
2010-07-06 15:42 ` Christopher J. PeBenito
2010-07-12 14:22 ` Daniel J Walsh
2010-08-26 22:44 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.