SELinux and Wine

Fri Aug 7 10:39:05 UTC 2009

On 08/06/2009 08:03 AM, Stephen Smalley wrote:
> On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote:
>> Oops.  Hit the wrong button by mistake, here you go.  Whole stack of
>> AVC denials.
>>
>> Aug  3 16:39:41 TechComm kernel: type=1400
>> audit(1249331981.357:15701): avc:  denied  { mmap_zero } for  pid=3752
>> comm="wine-preloader" scontext=staff_u:staff_r:
>> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>> tclass=memprotect
>> Aug  3 16:39:41 TechComm kernel: type=1400
>> audit(1249331981.357:15702): avc:  denied  { execmem } for  pid=3752
>> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
>> Aug  3 16:39:41 TechComm kernel: type=1400 
> 
> Hmm...so there is no transition defined from the confined user domains
> to wine_t, only from unconfined_t.  That is likely intentional since
> wine_t is unconfined under targeted policy (there is a
> unconfined_domain_noaudit() call in wine.te).
> 
If you build a policy with 

policy_module(mywine, 1.0)
gen_require(`
	type staff_t;
	role staff_r;
')

wine_role(staff_t, staff_r)

You should be able to try out the staff_wine_t type.