Confining a wine application

Göran Uddeborg goeran at
Tue Aug 11 18:45:28 UTC 2009

I'm running Spotify (a streaming music service,  They don't have a native Linux client, but
they recommend Linux users to use the Windows client under wine.  And
it does indeed work fine.

But I'm not completely comfortable with running this application
unconfined.  After all, it is a binary blob I download that does a lot
of network traffic.  Who knows what bugs it may contain?  So I was
considering if it would be able to write an SELinux policy module for
it, to confine it.

As it is a wine application, the binary that runs is wine.  For
obvious reasons, I do not want all wine applications to be confined by
this policy.

Is there some good way to do this?

One possible way, I guess, would be to write a small wrapper binary
that starts wine with Spotify, and make sure that program transitions
into some spotify_t domain.  This domain would not be allowed to
transition further into wine_t.  I could then implement the spotify
module as a stripped down version of the wine module.

I assume it would work, wouldn't it?  It would be slightly fragile, in
that I need to remember to not start spotify "directly", but always
use the wrapper.  Is there a better way to do this?  Has anybody else
made some efforts in confining specific wine applications?  Thoughts
and ideas are welcome!

More information about the fedora-selinux-list mailing list