SELinux and Wine
Eric Paris
eparis at redhat.com
Tue Aug 4 20:25:15 UTC 2009
On Tue, 2009-08-04 at 14:57 -0400, Ryan Gandy wrote:
> Hello,
>
> I use FC11 64 bit and have the default (add/remove software)
> installation for both SELinux and Wine. I've been trying to get my
> Windows programs to run but see entries in my setroubleshoot log
> regarding Wine not being cleared for "allow_execmem" or "mmap_zero."
> I'm not that experienced with it, but I gather enabling either of
> these would be a bad thing from what I've already seen on google. Is
> there a way I can get Wine to run without effectively disabling
> SELinux?
For the most part? No. Wine does things which are bad for system
security. You can disable security just for wine (define wine as a
permissive domain using semanage) of you can allow the things it wants
using the booleans which I'm guessing setroubleshoot suggested.
You are much better off allowing the mmap_zero boolean than you are
setting the mmap_zero proc tunable to 0.
As for execmem I'm surprised that one isn't already being allowed, might
be a bug?
-Eric
More information about the fedora-selinux-list
mailing list