SELinux and Wine
Stephen Smalley
sds at tycho.nsa.gov
Thu Aug 6 12:03:24 UTC 2009
On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote:
> Oops. Hit the wrong button by mistake, here you go. Whole stack of
> AVC denials.
>
> Aug 3 16:39:41 TechComm kernel: type=1400
> audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752
> comm="wine-preloader" scontext=staff_u:staff_r:
> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tclass=memprotect
> Aug 3 16:39:41 TechComm kernel: type=1400
> audit(1249331981.357:15702): avc: denied { execmem } for pid=3752
> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
> Aug 3 16:39:41 TechComm kernel: type=1400
Hmm...so there is no transition defined from the confined user domains
to wine_t, only from unconfined_t. That is likely intentional since
wine_t is unconfined under targeted policy (there is a
unconfined_domain_noaudit() call in wine.te).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list