SELinux and Wine
Daniel J Walsh
dwalsh at redhat.com
Fri Aug 7 10:39:05 UTC 2009
On 08/06/2009 08:03 AM, Stephen Smalley wrote:
> On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote:
>> Oops. Hit the wrong button by mistake, here you go. Whole stack of
>> AVC denials.
>>
>> Aug 3 16:39:41 TechComm kernel: type=1400
>> audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752
>> comm="wine-preloader" scontext=staff_u:staff_r:
>> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>> tclass=memprotect
>> Aug 3 16:39:41 TechComm kernel: type=1400
>> audit(1249331981.357:15702): avc: denied { execmem } for pid=3752
>> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
>> Aug 3 16:39:41 TechComm kernel: type=1400
>
> Hmm...so there is no transition defined from the confined user domains
> to wine_t, only from unconfined_t. That is likely intentional since
> wine_t is unconfined under targeted policy (there is a
> unconfined_domain_noaudit() call in wine.te).
>
If you build a policy with
policy_module(mywine, 1.0)
gen_require(`
type staff_t;
role staff_r;
')
wine_role(staff_t, staff_r)
You should be able to try out the staff_wine_t type.
More information about the fedora-selinux-list
mailing list