wine preloader? being denied by selinux

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/02/2010 03:58 AM, Dominick Grift wrote:
> On Wed, Sep 01, 2010 at 08:36:22PM -0400, Genes MailLists wrote:
>> On 09/01/2010 07:24 PM, Dominick Grift wrote:
>>> On Wed, Sep 01, 2010 at 03:49:14PM -0700, Antonio Olivares wrote:
>>
>>   ..
>>
>>>>
>>>> Fix Command:
>>>>
>>>> /usr/sbin/setsebool -P mmap_low_allowed 1
>>>>
>>>
>>> There is a boolean that one can toggle to silently deny this access vector:
>>>
>>> setsebool -P wine_mmap_zero_ignore on
>>>
>>> Again, This will not allow wine to mmap low (which is a dangerous ability), but instead it will hide attempt by wine to do so.
>>
>>
>>   It would feel a lot less worrisome if the prev bool was resricted to
>> wine only in case of need:
>>
>>   setsebool -P wine_mmap_low_allowed 1
>>
>>   instead of mmap_low_allowed
> 
> It is not like every process is allowed to mmap low when mmap_low_allowed is set to true.
> 
> Only few domains are tagged to be allowed this access:
> 
> vbetool
> wine
> unconfined domains
> 
> As for unconfined domains: it makes sense that these domains have "unconfined" access. You can remove the unconfined module though, That would turn the unconfined domains into confined domains, and thus if you do that then only vbetool and wime will be allowed to mmap low if you set mmap_low_allowed to true.
> 
>>
>>   gene/
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
It is not that simple.  You really have to turn off the unconfineduser
also.  Since the unconfined user is allowed to relabel a file to
wine_exec_t or vbetool_exec_t to get this access.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx/k7IACgkQrlYvE4MpobMFIgCgt8Njqg65ofK1M6Snb9l3gxnw
VoEAoNIuL/NXVySP51KHS4InIuZnuCmA
=jXmR
-----END PGP SIGNATURE-----