SELinux and Wine

[Daniel J Walsh]

On 08/07/2009 06:39 AM, Daniel J Walsh wrote:
> On 08/06/2009 08:03 AM, Stephen Smalley wrote:
>> On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote:
>>> Oops.  Hit the wrong button by mistake, here you go.  Whole stack of
>>> AVC denials.
>>>
>>> Aug  3 16:39:41 TechComm kernel: type=1400
>>> audit(1249331981.357:15701): avc:  denied  { mmap_zero } for  pid=3752
>>> comm="wine-preloader" scontext=staff_u:staff_r:
>>> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>>> tclass=memprotect
>>> Aug  3 16:39:41 TechComm kernel: type=1400
>>> audit(1249331981.357:15702): avc:  denied  { execmem } for  pid=3752
>>> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>>> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
>>> Aug  3 16:39:41 TechComm kernel: type=1400 
>> Hmm...so there is no transition defined from the confined user domains
>> to wine_t, only from unconfined_t.  That is likely intentional since
>> wine_t is unconfined under targeted policy (there is a
>> unconfined_domain_noaudit() call in wine.te).
>>
> If you build a policy with 
> 
> policy_module(mywine, 1.0)
> gen_require(`
> 	type staff_t;
> 	role staff_r;
> ')
> 
> wine_role(staff_t, staff_r)
> 
> You should be able to try out the staff_wine_t type.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Of course wine_t is an unconfined_domain if you have not removed the unoconfined module from policy.

If you do not want staff_t to be able to run unconfined domains and you have the unconfined module installed, you do not want to allow this transition.