diff --git a/refpolicy/policy/modules/apps/wine.te b/refpolicy/policy/modules/apps/wine.te index 21ac5b4e..b9cda469 100644 --- a/refpolicy/policy/modules/apps/wine.te +++ b/refpolicy/policy/modules/apps/wine.te @@ -1,5 +1,5 @@ -policy_module(wine,1.1.0) +policy_module(wine,1.1.1) ######################################## # @@ -20,6 +20,5 @@ domain_entry_file(wine_t,wine_exec_t) ifdef(`targeted_policy',` allow wine_t self:process { execstack execmem }; unconfined_domain_noaudit(wine_t) - role system_r types wine_t; - allow wine_t file_type:file execmod; + files_execmod_all_files(wine_t) ') diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 1ec9f574..bae6158b 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -450,6 +450,37 @@ interface(`files_read_all_files',` ') ') +######################################## +## +## Allow shared library text relocations in all files. +## +## +## +## Allow shared library text relocations in all files. +## +## +## This is added to support WINE in the targeted +## policy. It has no effect on the strict policy. +## +## +## +## +## Domain allowed access. +## +## +# +interface(`files_execmod_all_files',` + ifdef(`targeted_policy',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:file execmod; + ',` + errprint(__file__:__line__:` $0($1) has no effect in strict policy.'__endline__) + ') +') + ######################################## ## ## Read all non-security files. diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index 6a362d6a..942046aa 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.9) +policy_module(files,1.2.10) ######################################## #
+## Allow shared library text relocations in all files. +##
+## This is added to support WINE in the targeted +## policy. It has no effect on the strict policy. +##