## Wine Is Not an Emulator. Run Windows programs in Linux. ####################################### ## ## The per role template for the wine module. ## ## ##

## This template creates a derived domains which are used ## for wine applications. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The type of the user domain. ## ## ## ## ## The role associated with the user domain. ## ## # template(`wine_role',` gen_require(` type wine_t; type wine_home_t; type wine_exec_t; ') role $1 types wine_t; domain_auto_trans($2, wine_exec_t, wine_t) # Unrestricted inheritance from the caller. allow $2 wine_t:process { noatsecure siginh rlimitinh }; allow wine_t $2:fd use; allow wine_t $2:process { sigchld signull }; allow wine_t $2:unix_stream_socket connectto; # Allow the user domain to signal/ps. ps_process_pattern($2, wine_t) allow $2 wine_t:process signal_perms; allow $2 wine_t:fd use; allow $2 wine_t:shm { associate getattr unix_read unix_write }; allow $2 wine_t:unix_stream_socket connectto; # X access, Home files manage_dirs_pattern($2, wine_home_t, wine_home_t) manage_files_pattern($2, wine_home_t, wine_home_t) manage_lnk_files_pattern($2, wine_home_t, wine_home_t) relabel_dirs_pattern($2, wine_home_t, wine_home_t) relabel_files_pattern($2, wine_home_t, wine_home_t) relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) ') ####################################### ## ## The role template for the wine module. ## ## ##

## This template creates a derived domains which are used ## for wine applications. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # template(`wine_role_template',` gen_require(` type wine_t; type wine_exec_t; ') type $1_wine_t; domain_type($1_wine_t) domain_entry_file($1_wine_t, wine_exec_t) ubac_constrained($1_wine_t) role $2 types $1_wine_t; allow $1_wine_t self:process { execmem execstack }; allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; domtrans_pattern($3, wine_exec_t, $1_wine_t) corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) userdom_manage_tmpfs_role($2, $1_wine_t) domain_mmap_low($1_wine_t) tunable_policy(`wine_mmap_zero_ignore',` dontaudit $1_wine_t self:memprotect mmap_zero; ') tunable_policy(`wine_mmap_zero_ignore',` dontaudit $1_wine_t self:memprotect mmap_zero; ') optional_policy(` xserver_role($1_r, $1_wine_t) ') ') ######################################## ## ## Execute the wine program in the wine domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`wine_domtrans',` gen_require(` type wine_t, wine_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, wine_exec_t, wine_t) ') ######################################## ## ## Execute wine in the wine domain, and ## allow the specified role the wine domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # interface(`wine_run',` gen_require(` type wine_t; ') wine_domtrans($1) role $2 types wine_t; ') ######################################## ## ## Read and write wine Shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # interface(`wine_rw_shm',` gen_require(` type wine_t; ') allow $1 wine_t:shm rw_shm_perms; ')