1:57 p.m.
Hello,
I use FC11 64 bit and have the default (add/remove software) installation
for both SELinux and Wine. I've been trying to get my Windows programs to
run but see entries in my setroubleshoot log regarding Wine not being
cleared for "allow_execmem" or "mmap_zero." I'm not that
experienced with
it, but I gather enabling either of these would be a bad thing from what
I've already seen on google. Is there a way I can get Wine to run without
effectively disabling SELinux?
Regards,
Ryan
3:25 p.m.
On Tue, 2009-08-04 at 14:57 -0400, Ryan Gandy wrote:
Hello,
I use FC11 64 bit and have the default (add/remove software)
installation for both SELinux and Wine. I've been trying to get my
Windows programs to run but see entries in my setroubleshoot log
regarding Wine not being cleared for "allow_execmem" or "mmap_zero."
I'm not that experienced with it, but I gather enabling either of
these would be a bad thing from what I've already seen on google. Is
there a way I can get Wine to run without effectively disabling
SELinux?
For the most part? No. Wine does things which are bad for system
security. You can disable security just for wine (define wine as a
permissive domain using semanage) of you can allow the things it wants
using the booleans which I'm guessing setroubleshoot suggested.
You are much better off allowing the mmap_zero boolean than you are
setting the mmap_zero proc tunable to 0.
As for execmem I'm surprised that one isn't already being allowed, might
be a bug?
-Eric
7:58 a.m.
On Tue, 2009-08-04 at 14:57 -0400, Ryan Gandy wrote:
Hello,
I use FC11 64 bit and have the default (add/remove software)
installation for both SELinux and Wine. I've been trying to get my
Windows programs to run but see entries in my setroubleshoot log
regarding Wine not being cleared for "allow_execmem" or "mmap_zero."
I'm not that experienced with it, but I gather enabling either of
these would be a bad thing from what I've already seen on google. Is
there a way I can get Wine to run without effectively disabling
SELinux?
Post the actual avc denials. wine_t should already have the necessary
permissions. Sounds like you are running wine in unconfined_t instead?
--
Stephen Smalley
National Security Agency
4:41 p.m.
On 08/04/2009 02:57 PM, Ryan Gandy wrote:
Hello,
I use FC11 64 bit and have the default (add/remove software) installation
for both SELinux and Wine. I've been trying to get my Windows programs to
run but see entries in my setroubleshoot log regarding Wine not being
cleared for "allow_execmem" or "mmap_zero." I'm not that
experienced with
it, but I gather enabling either of these would be a bad thing from what
I've already seen on google. Is there a way I can get Wine to run without
effectively disabling SELinux?
Regards,
Ryan
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What is the wine
executables label
ls -lZ PATHTO/wine
11:15 p.m.
Oops. Hit the wrong button by mistake, here you go. Whole stack of AVC
denials.
Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.357:15701):
avc: denied { mmap_zero } for pid=3752 comm="wine-preloader"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=memprotect
Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.357:15702):
avc: denied { execmem } for pid=3752 comm="wine-preloader"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.364:15703):
avc: denied { execmem } for pid=3752 comm="wine"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.448:15704):
avc: denied { execmem } for pid=3752 comm="wineboot.exe"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.448:15705):
avc: denied { execmem } for pid=3752 comm="wineboot.exe"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.463:15706):
avc: denied { execmem } for pid=3752 comm="wineboot.exe"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
Aug 3 21:43:59 TechComm setroubleshoot: SELinux is preventing
wine-preloader (staff_t) "mmap_zero" staff_t. For complete SELinux messages.
run sealert -l b44029ea-892c-471b-a1b8-b8acaa833ed3
Aug 3 21:43:59 TechComm setroubleshoot: SELinux is preventing
wine-preloader (staff_t) "execmem" to <Unknown> (staff_t). For complete
SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456
Aug 3 21:44:00 TechComm setroubleshoot: SELinux is preventing wine
(staff_t) "execmem" to <Unknown> (staff_t). For complete SELinux
messages.
run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456
Aug 3 21:44:00 TechComm setroubleshoot: SELinux is preventing
wine-preloader (staff_t) "mmap_zero" staff_t. For complete SELinux messages.
run sealert -l b44029ea-892c-471b-a1b8-b8acaa833ed3
Aug 3 21:44:01 TechComm setroubleshoot: SELinux is preventing
wine-preloader (staff_t) "execmem" to <Unknown> (staff_t). For complete
SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456
Aug 3 21:44:01 TechComm setroubleshoot: SELinux is preventing wine
(staff_t) "execmem" to <Unknown> (staff_t). For complete SELinux
messages.
run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456
Aug 3 21:44:02 TechComm setroubleshoot: SELinux is preventing wineboot.exe
(staff_t) "execmem" to <Unknown> (staff_t). For complete SELinux
messages.
run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456
Aug 3 21:44:02 TechComm setroubleshoot: SELinux is preventing wineboot.exe
(staff_t) "execmem" to <Unknown> (staff_t). For complete SELinux
messages.
run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456
Aug 3 21:44:02 TechComm setroubleshoot: SELinux is preventing wineboot.exe
(staff_t) "execmem" to <Unknown> (staff_t). For complete SELinux
messages.
run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456
Aug 3 21:44:03 TechComm setroubleshoot: SELinux is preventing wineboot.exe
(staff_t) "execmem" to <Unknown> (staff_t). For complete SELinux
messages.
run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456
7:03 a.m.
On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote:
Oops. Hit the wrong button by mistake, here you go. Whole stack of
AVC denials.
Aug 3 16:39:41 TechComm kernel: type=1400
audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752
comm="wine-preloader" scontext=staff_u:staff_r:
staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tclass=memprotect
Aug 3 16:39:41 TechComm kernel: type=1400
audit(1249331981.357:15702): avc: denied { execmem } for pid=3752
comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
Aug 3 16:39:41 TechComm kernel: type=1400
Hmm...so there is no transition defined from the confined user domains
to wine_t, only from unconfined_t. That is likely intentional since
wine_t is unconfined under targeted policy (there is a
unconfined_domain_noaudit() call in wine.te).
--
Stephen Smalley
National Security Agency
5:39 a.m.
On 08/06/2009 08:03 AM, Stephen Smalley wrote:
On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote:
> Oops. Hit the wrong button by mistake, here you go. Whole stack of
> AVC denials.
>
> Aug 3 16:39:41 TechComm kernel: type=1400
> audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752
> comm="wine-preloader" scontext=staff_u:staff_r:
> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tclass=memprotect
> Aug 3 16:39:41 TechComm kernel: type=1400
> audit(1249331981.357:15702): avc: denied { execmem } for pid=3752
> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
> Aug 3 16:39:41 TechComm kernel: type=1400
Hmm...so there is no transition defined from the confined user domains
to wine_t, only from unconfined_t. That is likely intentional since
wine_t is unconfined under targeted policy (there is a
unconfined_domain_noaudit() call in wine.te).
If you build a policy with
policy_module(mywine, 1.0)
gen_require(`
type staff_t;
role staff_r;
')
wine_role(staff_t, staff_r)
You should be able to try out the staff_wine_t type.
5:46 a.m.
On 08/07/2009 06:39 AM, Daniel J Walsh wrote:
On 08/06/2009 08:03 AM, Stephen Smalley wrote:
> On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote:
>> Oops. Hit the wrong button by mistake, here you go. Whole stack of
>> AVC denials.
>>
>> Aug 3 16:39:41 TechComm kernel: type=1400
>> audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752
>> comm="wine-preloader" scontext=staff_u:staff_r:
>> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>> tclass=memprotect
>> Aug 3 16:39:41 TechComm kernel: type=1400
>> audit(1249331981.357:15702): avc: denied { execmem } for pid=3752
>> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
>> Aug 3 16:39:41 TechComm kernel: type=1400
> Hmm...so there is no transition defined from the confined user domains
> to wine_t, only from unconfined_t. That is likely intentional since
> wine_t is unconfined under targeted policy (there is a
> unconfined_domain_noaudit() call in wine.te).
>
If you build a policy with
policy_module(mywine, 1.0)
gen_require(`
type staff_t;
role staff_r;
')
wine_role(staff_t, staff_r)
You should be able to try out the staff_wine_t type.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Of course wine_t is an unconfined_domain if you have not removed the unoconfined module
from policy.
If you do not want staff_t to be able to run unconfined domains and you have the
unconfined module installed, you do not want to allow this transition.
5375
days inactive
5378
days old
selinux@lists.fedoraproject.org
7 comments
4 participants
participants (4)
-
Daniel J Walsh -
Eric Paris -
Ryan Anthony -
Stephen Smalley