On 08/06/2009 08:03 AM, Stephen Smalley wrote:
On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote:
> Oops. Hit the wrong button by mistake, here you go. Whole stack of
> AVC denials.
>
> Aug 3 16:39:41 TechComm kernel: type=1400
> audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752
> comm="wine-preloader" scontext=staff_u:staff_r:
> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tclass=memprotect
> Aug 3 16:39:41 TechComm kernel: type=1400
> audit(1249331981.357:15702): avc: denied { execmem } for pid=3752
> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
> Aug 3 16:39:41 TechComm kernel: type=1400
Hmm...so there is no transition defined from the confined user domains
to wine_t, only from unconfined_t. That is likely intentional since
wine_t is unconfined under targeted policy (there is a
unconfined_domain_noaudit() call in wine.te).
If you build a policy with
policy_module(mywine, 1.0)
gen_require(`
type staff_t;
role staff_r;
')
wine_role(staff_t, staff_r)
You should be able to try out the staff_wine_t type.