patch from Dan, sent Thu, 19 Jan 2006 14:16:26 -0500

refpolicy/Changelog

@@ -6,9 +6,11 @@
   for greater clarity.
 - Added modules:
 	certwatch
+	mono (Dan Walsh)
 	portage
 	userhelper
 	usernetctl
+	wine (Dan Walsh)
 	xserver
 
 * Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117

refpolicy/policy/global_tunables

@@ -12,6 +12,9 @@
 ## Allow cvs daemon to read shadow
 gen_tunable(allow_cvs_read_shadow,false)
 
+## Allow making the heap executable.
+gen_tunable(allow_execheap,false)
+
 ## Allow making anonymous memory executable, e.g. 
 ## for runtime-code generation or executable stack.
 gen_tunable(allow_execmem,false)

refpolicy/policy/modules/admin/logwatch.te

@@ -1,5 +1,5 @@
 
-policy_module(logwatch,1.0.0)
+policy_module(logwatch,1.0.1)
 
 #################################
 #
@@ -38,6 +38,7 @@ kernel_read_fs_sysctl(logwatch_t)
 kernel_read_kernel_sysctl(logwatch_t)
 kernel_read_system_state(logwatch_t)
 
+corecmd_read_sbin_symlink(logwatch_t)
 corecmd_read_sbin_file(logwatch_t)
 corecmd_exec_bin(logwatch_t)
 corecmd_exec_shell(logwatch_t)
@@ -68,6 +69,8 @@ logging_read_all_logs(logwatch_t)
 
 miscfiles_read_localization(logwatch_t)
 
+selinux_dontaudit_getattr_dir(logwatch_t)
+
 userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
 userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
 
@@ -94,6 +97,10 @@ optional_policy(`nscd',`
 	nscd_use_socket(logwatch_t)
 ')
 
+optional_policy(`ntp',`
+	ntp_domtrans(logwatch_t)
+')
+
 optional_policy(`rpc',`
 	rpc_search_nfs_state_data(logwatch_t)
 ')

refpolicy/policy/modules/apps/mono.fc

@@ -0,0 +1 @@
+/usr/bin/mono	--	gen_context(system_u:object_r:mono_exec_t,s0)

refpolicy/policy/modules/apps/mono.if

@@ -0,0 +1,23 @@
+## <summary>Run .NET server and client applications on Linux.</summary>
+
+########################################
+## <summary>
+##	Execute the mono program in the mono domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mono_domtrans',`
+	gen_require(`
+		type mono_t, mono_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, mono_exec_t, mono_t)
+
+	allow $1 mono_t:fd use;
+	allow mono_t $1:fd use;
+	allow mono_t $1:fifo_file rw_file_perms;
+	allow mono_t $1:process sigchld;
+')

refpolicy/policy/modules/apps/mono.te

@@ -0,0 +1,25 @@
+
+policy_module(mono,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mono_t;
+domain_type(mono_t)
+
+type mono_exec_t;
+domain_entry_file(mono_t,mono_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow mono_t self:process execheap;
+	unconfined_domain_template(mono_t)
+	role system_r types mono_t;
+')
+

refpolicy/policy/modules/apps/wine.fc

@@ -0,0 +1 @@
+/usr/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)

refpolicy/policy/modules/apps/wine.if

@@ -0,0 +1,23 @@
+## <summary>Wine Is Not an Emulator.  Run Windows programs in Linux.</summary>
+
+########################################
+## <summary>
+##	Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`wine_domtrans',`
+	gen_require(`
+		type wine_t, wine_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, wine_exec_t, wine_t)
+
+	allow $1 wine_t:fd use;
+	allow wine_t $1:fd use;
+	allow wine_t $1:fifo_file rw_file_perms;
+	allow wine_t $1:process sigchld;
+')

refpolicy/policy/modules/apps/wine.te

@@ -0,0 +1,25 @@
+
+policy_module(wine,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wine_t;
+domain_type(wine_t)
+
+type wine_exec_t;
+domain_entry_file(wine_t,wine_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow wine_t self:process { execstack execmem };
+	unconfined_domain_template(wine_t)
+	role system_r types wine_t;
+	allow wine_t file_type:file execmod;
+')

refpolicy/policy/modules/kernel/filesystem.if

@@ -1824,6 +1824,22 @@ interface(`fs_search_ramfs',`
 	allow $1 ramfs_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Dontaudit Search directories on a ramfs
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_search_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	dontaudit $1 ramfs_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Write to named pipe on a ramfs filesystem.

refpolicy/policy/modules/services/bind.if

@@ -161,10 +161,11 @@ interface(`bind_manage_config_dir',`
 #
 interface(`bind_search_cache',`
 	gen_require(`
-		type named_cache_t, named_zone_t;
+		type named_conf_t, named_cache_t, named_zone_t;
 	')
 
 	files_search_var($1)
+	allow $1 named_conf_t:dir search_dir_perms;
 	allow $1 named_zone_t:dir search_dir_perms;
 	allow $1 named_cache_t:dir search_dir_perms;
 ')

refpolicy/policy/modules/services/xdm.te

@@ -68,7 +68,7 @@ selinux_compute_user_contexts(xdm_t)
 files_read_etc_runtime_files(xdm_t)
 
 ifdef(`targeted_policy',`
-	allow xdm_t self:process execmem;
+	allow xdm_t self:process { execheap execmem };
 	unconfined_domain_template(xdm_t)
 	unconfined_domtrans(xdm_t)
 ',`

refpolicy/policy/modules/system/libraries.fc

@@ -166,7 +166,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 /usr/lib(64)?/libdivxencore.so.0		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
 /usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)

refpolicy/policy/modules/system/unconfined.if

@@ -38,6 +38,12 @@ template(`unconfined_domain_template',`
 	fs_unconfined($1)
 	selinux_unconfined($1)
 
+	tunable_policy(`allow_execheap',`
+		# Allow making the stack executable via mprotect.
+		allow $1 self:process execheap;
+		auditallow $1 self:process execheap;
+	')
+
 	tunable_policy(`allow_execmem',`
 		# Allow making anonymous memory executable, e.g. 
 		# for runtime-code generation or executable stack.

refpolicy/policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.2.0)
+policy_module(unconfined,1.2.1)
 
 ########################################
 #
@@ -97,6 +97,10 @@ ifdef(`targeted_policy',`
 		modutils_domtrans_update_mods(unconfined_t)
 	')
 
+	optional_policy(`mono',`
+		mono_domtrans(unconfined_t)
+	')
+
 	optional_policy(`netutils',`
 		netutils_domtrans_ping(unconfined_t)
 	')
@@ -141,11 +145,7 @@ ifdef(`targeted_policy',`
 		webalizer_domtrans(unconfined_t)
 	')
 
-	ifdef(`TODO',`
+	optional_policy(`wine',`
-	ifdef(`use_mcs',`
+		wine_domtrans(unconfined_t)
-	rw_dir_create_file(sysadm_su_t, home_dir_type)
 	')
-	allow unconfined_t initrc_t : dbus { send_msg acquire_svc };
-	allow initrc_t unconfined_t : dbus { send_msg acquire_svc };
-	') dnl end TODO
 ')