From a225f9832d7dcc4fcf516891509659dd7789e879 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 19 Jan 2006 23:00:23 +0000
Subject: [PATCH] patch from Dan, sent Thu, 19 Jan 2006 14:16:26 -0500

---
 refpolicy/Changelog                           |  2 ++
 refpolicy/policy/global_tunables              |  3 +++
 refpolicy/policy/modules/admin/logwatch.te    |  9 ++++++-
 refpolicy/policy/modules/apps/mono.fc         |  1 +
 refpolicy/policy/modules/apps/mono.if         | 23 +++++++++++++++++
 refpolicy/policy/modules/apps/mono.te         | 25 +++++++++++++++++++
 refpolicy/policy/modules/apps/wine.fc         |  1 +
 refpolicy/policy/modules/apps/wine.if         | 23 +++++++++++++++++
 refpolicy/policy/modules/apps/wine.te         | 25 +++++++++++++++++++
 refpolicy/policy/modules/kernel/filesystem.if | 16 ++++++++++++
 refpolicy/policy/modules/services/bind.if     |  3 ++-
 refpolicy/policy/modules/services/xdm.te      |  2 +-
 refpolicy/policy/modules/system/libraries.fc  |  2 +-
 refpolicy/policy/modules/system/unconfined.if |  6 +++++
 refpolicy/policy/modules/system/unconfined.te | 14 +++++------
 15 files changed, 144 insertions(+), 11 deletions(-)
 create mode 100644 refpolicy/policy/modules/apps/mono.fc
 create mode 100644 refpolicy/policy/modules/apps/mono.if
 create mode 100644 refpolicy/policy/modules/apps/mono.te
 create mode 100644 refpolicy/policy/modules/apps/wine.fc
 create mode 100644 refpolicy/policy/modules/apps/wine.if
 create mode 100644 refpolicy/policy/modules/apps/wine.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 8eb8a53f..f2811d3a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -6,9 +6,11 @@
   for greater clarity.
 - Added modules:
 	certwatch
+	mono (Dan Walsh)
 	portage
 	userhelper
 	usernetctl
+	wine (Dan Walsh)
 	xserver
 
 * Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 287f9ea6..76b7bb3b 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -12,6 +12,9 @@
 ## Allow cvs daemon to read shadow
 gen_tunable(allow_cvs_read_shadow,false)
 
+## Allow making the heap executable.
+gen_tunable(allow_execheap,false)
+
 ## Allow making anonymous memory executable, e.g. 
 ## for runtime-code generation or executable stack.
 gen_tunable(allow_execmem,false)
diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te
index c03ddbd6..6a39b5ce 100644
--- a/refpolicy/policy/modules/admin/logwatch.te
+++ b/refpolicy/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(logwatch,1.0.0)
+policy_module(logwatch,1.0.1)
 
 #################################
 #
@@ -38,6 +38,7 @@ kernel_read_fs_sysctl(logwatch_t)
 kernel_read_kernel_sysctl(logwatch_t)
 kernel_read_system_state(logwatch_t)
 
+corecmd_read_sbin_symlink(logwatch_t)
 corecmd_read_sbin_file(logwatch_t)
 corecmd_exec_bin(logwatch_t)
 corecmd_exec_shell(logwatch_t)
@@ -68,6 +69,8 @@ logging_read_all_logs(logwatch_t)
 
 miscfiles_read_localization(logwatch_t)
 
+selinux_dontaudit_getattr_dir(logwatch_t)
+
 userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
 userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
 
@@ -94,6 +97,10 @@ optional_policy(`nscd',`
 	nscd_use_socket(logwatch_t)
 ')
 
+optional_policy(`ntp',`
+	ntp_domtrans(logwatch_t)
+')
+
 optional_policy(`rpc',`
 	rpc_search_nfs_state_data(logwatch_t)
 ')
diff --git a/refpolicy/policy/modules/apps/mono.fc b/refpolicy/policy/modules/apps/mono.fc
new file mode 100644
index 00000000..bc1c679c
--- /dev/null
+++ b/refpolicy/policy/modules/apps/mono.fc
@@ -0,0 +1 @@
+/usr/bin/mono	--	gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/mono.if b/refpolicy/policy/modules/apps/mono.if
new file mode 100644
index 00000000..ea2e1f76
--- /dev/null
+++ b/refpolicy/policy/modules/apps/mono.if
@@ -0,0 +1,23 @@
+## <summary>Run .NET server and client applications on Linux.</summary>
+
+########################################
+## <summary>
+##	Execute the mono program in the mono domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mono_domtrans',`
+	gen_require(`
+		type mono_t, mono_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, mono_exec_t, mono_t)
+
+	allow $1 mono_t:fd use;
+	allow mono_t $1:fd use;
+	allow mono_t $1:fifo_file rw_file_perms;
+	allow mono_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
new file mode 100644
index 00000000..6ca236fe
--- /dev/null
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -0,0 +1,25 @@
+
+policy_module(mono,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mono_t;
+domain_type(mono_t)
+
+type mono_exec_t;
+domain_entry_file(mono_t,mono_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow mono_t self:process execheap;
+	unconfined_domain_template(mono_t)
+	role system_r types mono_t;
+')
+
diff --git a/refpolicy/policy/modules/apps/wine.fc b/refpolicy/policy/modules/apps/wine.fc
new file mode 100644
index 00000000..e9898da2
--- /dev/null
+++ b/refpolicy/policy/modules/apps/wine.fc
@@ -0,0 +1 @@
+/usr/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/wine.if b/refpolicy/policy/modules/apps/wine.if
new file mode 100644
index 00000000..829367c5
--- /dev/null
+++ b/refpolicy/policy/modules/apps/wine.if
@@ -0,0 +1,23 @@
+## <summary>Wine Is Not an Emulator.  Run Windows programs in Linux.</summary>
+
+########################################
+## <summary>
+##	Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`wine_domtrans',`
+	gen_require(`
+		type wine_t, wine_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, wine_exec_t, wine_t)
+
+	allow $1 wine_t:fd use;
+	allow wine_t $1:fd use;
+	allow wine_t $1:fifo_file rw_file_perms;
+	allow wine_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/apps/wine.te b/refpolicy/policy/modules/apps/wine.te
new file mode 100644
index 00000000..c400c8d7
--- /dev/null
+++ b/refpolicy/policy/modules/apps/wine.te
@@ -0,0 +1,25 @@
+
+policy_module(wine,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wine_t;
+domain_type(wine_t)
+
+type wine_exec_t;
+domain_entry_file(wine_t,wine_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow wine_t self:process { execstack execmem };
+	unconfined_domain_template(wine_t)
+	role system_r types wine_t;
+	allow wine_t file_type:file execmod;
+')
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index a161fb0a..3a51441d 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1824,6 +1824,22 @@ interface(`fs_search_ramfs',`
 	allow $1 ramfs_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Dontaudit Search directories on a ramfs
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_search_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	dontaudit $1 ramfs_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Write to named pipe on a ramfs filesystem.
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index 6ad3bd62..2a9ddaa6 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -161,10 +161,11 @@ interface(`bind_manage_config_dir',`
 #
 interface(`bind_search_cache',`
 	gen_require(`
-		type named_cache_t, named_zone_t;
+		type named_conf_t, named_cache_t, named_zone_t;
 	')
 
 	files_search_var($1)
+	allow $1 named_conf_t:dir search_dir_perms;
 	allow $1 named_zone_t:dir search_dir_perms;
 	allow $1 named_cache_t:dir search_dir_perms;
 ')
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index 387464d3..2f33fa79 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -68,7 +68,7 @@ selinux_compute_user_contexts(xdm_t)
 files_read_etc_runtime_files(xdm_t)
 
 ifdef(`targeted_policy',`
-	allow xdm_t self:process execmem;
+	allow xdm_t self:process { execheap execmem };
 	unconfined_domain_template(xdm_t)
 	unconfined_domtrans(xdm_t)
 ',`
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 28c4f03a..b563a0d2 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -166,7 +166,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 /usr/lib(64)?/libdivxencore.so.0		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
 /usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 59fe0092..3a102955 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -38,6 +38,12 @@ template(`unconfined_domain_template',`
 	fs_unconfined($1)
 	selinux_unconfined($1)
 
+	tunable_policy(`allow_execheap',`
+		# Allow making the stack executable via mprotect.
+		allow $1 self:process execheap;
+		auditallow $1 self:process execheap;
+	')
+
 	tunable_policy(`allow_execmem',`
 		# Allow making anonymous memory executable, e.g. 
 		# for runtime-code generation or executable stack.
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 87f7af65..d5d0110f 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.2.0)
+policy_module(unconfined,1.2.1)
 
 ########################################
 #
@@ -97,6 +97,10 @@ ifdef(`targeted_policy',`
 		modutils_domtrans_update_mods(unconfined_t)
 	')
 
+	optional_policy(`mono',`
+		mono_domtrans(unconfined_t)
+	')
+
 	optional_policy(`netutils',`
 		netutils_domtrans_ping(unconfined_t)
 	')
@@ -141,11 +145,7 @@ ifdef(`targeted_policy',`
 		webalizer_domtrans(unconfined_t)
 	')
 
-	ifdef(`TODO',`
-	ifdef(`use_mcs',`
-	rw_dir_create_file(sysadm_su_t, home_dir_type)
+	optional_policy(`wine',`
+		wine_domtrans(unconfined_t)
 	')
-	allow unconfined_t initrc_t : dbus { send_msg acquire_svc };
-	allow initrc_t unconfined_t : dbus { send_msg acquire_svc };
-	') dnl end TODO
 ')