Summary: | can't run wine on -9999 policies | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Amadeusz Sławiński <amade> |
Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Amadeusz Sławiński
2013-01-19 20:24:57 UTC
I think behaviour was changed with this commit: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commitdiff;h=73600f7dad522a0d5fca9a68d3d32e51e05b4a23 After adding policy_module(winerole, 1.0.0) require { type staff_t; role staff_r; } wine_role(staff_r, staff_t) It can access .wine but still can't start % wine notepad wine: could not exec the wine loader But I can cd into ~/.wine now Enforcing: Jan 20 16:54:49 lain kernel: [ 3368.846604] type=1400 audit(1358697289.639:400): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846633] type=1400 audit(1358697289.639:401): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846655] type=1400 audit(1358697289.639:402): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846676] type=1400 audit(1358697289.639:403): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846697] type=1400 audit(1358697289.639:404): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846718] type=1400 audit(1358697289.639:405): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846738] type=1400 audit(1358697289.639:406): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846759] type=1400 audit(1358697289.639:407): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846779] type=1400 audit(1358697289.639:408): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Permissive: Jan 20 16:55:11 lain kernel: [ 3390.879784] type=1400 audit(1358697311.716:446): avc: denied { setrlimit } for pid=527 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Jan 20 16:55:11 lain kernel: [ 3390.881942] type=1400 audit(1358697311.718:447): avc: denied { create } for pid=527 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=unix_stream_socket Jan 20 16:55:11 lain kernel: [ 3390.881982] type=1400 audit(1358697311.718:448): avc: denied { connect } for pid=527 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=unix_stream_socket Jan 20 16:55:11 lain kernel: [ 3390.882189] type=1400 audit(1358697311.718:449): avc: denied { read } for pid=527 comm="wine" name="nsswitch.conf" dev="dm-0" ino=7616981 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:etc_t tclass=file Jan 20 16:55:11 lain kernel: [ 3390.882210] type=1400 audit(1358697311.718:450): avc: denied { open } for pid=527 comm="wine" path="/etc/nsswitch.conf" dev="dm-0" ino=7616981 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:etc_t tclass=file Jan 20 16:55:11 lain kernel: [ 3390.882253] type=1400 audit(1358697311.718:451): avc: denied { getattr } for pid=527 comm="wine" path="/etc/nsswitch.conf" dev="dm-0" ino=7616981 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:etc_t tclass=file Jan 20 16:55:11 lain kernel: [ 3390.883297] type=1400 audit(1358697311.719:452): avc: denied { getattr } for pid=527 comm="wine" path="/home/amade/.wine" dev="dm-0" ino=21890026 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:11 lain kernel: [ 3390.883388] type=1400 audit(1358697311.719:453): avc: denied { search } for pid=527 comm="wine" name=".wine" dev="dm-0" ino=21890026 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:11 lain kernel: [ 3390.883525] type=1400 audit(1358697311.719:454): avc: denied { getattr } for pid=527 comm="wine" path="/tmp/.wine-1000/server-fd00-14e03ea" dev="dm-0" ino=10756709 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.936055] type=1400 audit(1358697318.786:527): avc: denied { signal } for pid=532 comm="wineserver" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Jan 20 16:55:18 lain kernel: [ 3397.937921] type=1400 audit(1358697318.788:528): avc: denied { write } for pid=532 comm="wineserver" name=".wine" dev="dm-0" ino=21890026 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.937931] type=1400 audit(1358697318.788:529): avc: denied { add_name } for pid=532 comm="wineserver" name="reg2140000.tmp" scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.937951] type=1400 audit(1358697318.788:530): avc: denied { create } for pid=532 comm="wineserver" name="reg2140000.tmp" scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 20 16:55:18 lain kernel: [ 3397.959648] type=1400 audit(1358697318.809:531): avc: denied { remove_name } for pid=532 comm="wineserver" name="reg2140000.tmp" dev="dm-0" ino=21892350 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.959658] type=1400 audit(1358697318.809:532): avc: denied { rename } for pid=532 comm="wineserver" name="reg2140000.tmp" dev="dm-0" ino=21892350 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 20 16:55:18 lain kernel: [ 3397.959674] type=1400 audit(1358697318.809:533): avc: denied { unlink } for pid=532 comm="wineserver" name="system.reg" dev="dm-0" ino=21889746 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 20 16:55:18 lain kernel: [ 3397.966707] type=1400 audit(1358697318.817:534): avc: denied { remove_name } for pid=532 comm="wineserver" name="socket" dev="dm-0" ino=10756711 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.966724] type=1400 audit(1358697318.817:535): avc: denied { unlink } for pid=532 comm="wineserver" name="socket" dev="dm-0" ino=10756711 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:user_tmp_t tclass=sock_file Can you try with (and expand as necessary) the following? Looks like the upstream change is indeed not that ready yet... """ allow wine_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow wine_t self:process signal; manage_files_pattern(wine_t, wine_home_t, wine_home_t) manage_dirs_pattern(wine_t, wine_home_t, wine_home_t) corecmd_exec_bin(wine_t) files_read_etc_files(wine_t) """ This one got a bit of my list of things, but here I'm again. With: policy_module(winerole, 1.0.0) require { type staff_t; role staff_r; type wine_t; type wine_home_t; type wine_tmp_t; type locale_t; } wine_role(staff_r, staff_t) allow wine_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow wine_t self:process signal; manage_files_pattern(wine_t, wine_home_t, wine_home_t) manage_dirs_pattern(wine_t, wine_home_t, wine_home_t) corecmd_exec_bin(wine_t) files_read_etc_files(wine_t) wine notepad.exe command gives in enforcing: Apr 3 21:08:25 lain kernel: [ 1735.497832] type=1400 audit(1365016105.791:188): avc: denied { setrlimit } for pid=6966 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Apr 3 21:08:26 lain kernel: [ 1735.791843] type=1400 audit(1365016106.085:189): avc: denied { create } for pid=6969 comm="wineserver" name="socket" scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file In permissive: Apr 3 21:11:11 lain kernel: [ 1900.505416] type=1400 audit(1365016271.126:263): avc: denied { setrlimit } for pid=7465 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Apr 3 21:11:11 lain kernel: [ 1900.508781] type=1400 audit(1365016271.129:264): avc: denied { getattr } for pid=7465 comm="wine" path="/tmp/.wine-1000/server-fc00-14e03ea/socket" dev="dm-0" ino=11010154 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file Apr 3 21:11:11 lain kernel: [ 1900.508850] type=1400 audit(1365016271.129:265): avc: denied { write } for pid=7465 comm="wine" name="socket" dev="dm-0" ino=11010154 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file Apr 3 21:11:11 lain kernel: [ 1900.611879] type=1400 audit(1365016271.232:266): avc: denied { unlink } for pid=7468 comm="wineserver" name="socket" dev="dm-0" ino=11010154 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file Apr 3 21:11:11 lain kernel: [ 1900.611940] type=1400 audit(1365016271.232:267): avc: denied { create } for pid=7468 comm="wineserver" name="socket" scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file Apr 3 21:11:11 lain kernel: [ 1900.611987] type=1400 audit(1365016271.232:268): avc: denied { setattr } for pid=7468 comm="wineserver" name="socket" dev="dm-0" ino=11010154 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file Apr 3 21:11:11 lain kernel: [ 1900.666633] type=1400 audit(1365016271.287:269): avc: denied { getsched } for pid=7468 comm="wineserver" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Apr 3 21:11:11 lain kernel: [ 1900.666820] type=1400 audit(1365016271.287:270): avc: denied { read } for pid=7465 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file Apr 3 21:11:11 lain kernel: [ 1900.666833] type=1400 audit(1365016271.287:271): avc: denied { open } for pid=7465 comm="wine" path="/sys/devices/system/cpu/online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file Apr 3 21:11:11 lain kernel: [ 1900.667769] type=1400 audit(1365016271.288:272): avc: denied { read } for pid=7465 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file After additionally allowing: allow wine_t wine_tmp_t:sock_file { create setattr getattr write unlink }; Enforcing: Apr 3 21:12:51 lain kernel: [ 2000.659511] type=1400 audit(1365016371.479:332): avc: denied { setrlimit } for pid=7789 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Apr 3 21:12:51 lain kernel: [ 2000.719425] type=1400 audit(1365016371.539:333): avc: denied { getsched } for pid=7792 comm="wineserver" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Apr 3 21:12:51 lain kernel: [ 2000.719592] type=1400 audit(1365016371.539:334): avc: denied { read } for pid=7789 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file Apr 3 21:12:51 lain kernel: [ 2000.719636] type=1400 audit(1365016371.539:335): avc: denied { read } for pid=7789 comm="wine" name="stat" dev="proc" ino=4026532040 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file Apr 3 21:12:51 lain kernel: [ 2000.719655] type=1400 audit(1365016371.539:336): avc: denied { read } for pid=7789 comm="wine" name="cpuinfo" dev="proc" ino=4026532035 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file Apr 3 21:12:51 lain kernel: [ 2000.720658] type=1400 audit(1365016371.540:337): avc: denied { read } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file Apr 3 21:12:51 lain kernel: [ 2000.720693] type=1400 audit(1365016371.540:338): avc: denied { search } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12069406 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:locale_t tclass=dir Apr 3 21:12:51 lain kernel: [ 2000.720726] type=1400 audit(1365016371.540:339): avc: denied { read } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file Apr 3 21:12:51 lain kernel: [ 2000.720741] type=1400 audit(1365016371.540:340): avc: denied { read } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file Apr 3 21:12:51 lain kernel: [ 2000.720754] type=1400 audit(1365016371.540:341): avc: denied { read } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file Permissive: Apr 3 21:15:14 lain kernel: [ 2143.224284] type=1400 audit(1365016514.326:1254): avc: denied { setrlimit } for pid=8115 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Apr 3 21:15:14 lain kernel: [ 2143.286672] type=1400 audit(1365016514.389:1255): avc: denied { getsched } for pid=8118 comm="wineserver" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Apr 3 21:15:14 lain kernel: [ 2143.286838] type=1400 audit(1365016514.389:1256): avc: denied { read } for pid=8115 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file Apr 3 21:15:14 lain kernel: [ 2143.286850] type=1400 audit(1365016514.389:1257): avc: denied { open } for pid=8115 comm="wine" path="/sys/devices/system/cpu/online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file Apr 3 21:15:14 lain kernel: [ 2143.287796] type=1400 audit(1365016514.390:1258): avc: denied { read } for pid=8115 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file Apr 3 21:15:14 lain kernel: [ 2143.287816] type=1400 audit(1365016514.390:1259): avc: denied { search } for pid=8115 comm="wine" name="locale" dev="dm-0" ino=12071458 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:locale_t tclass=dir Apr 3 21:15:14 lain kernel: [ 2143.287831] type=1400 audit(1365016514.390:1260): avc: denied { read } for pid=8115 comm="wine" name="locale-archive" dev="dm-0" ino=12059959 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=file Apr 3 21:15:14 lain kernel: [ 2143.287839] type=1400 audit(1365016514.390:1261): avc: denied { open } for pid=8115 comm="wine" path="/usr/lib64/locale/locale-archive" dev="dm-0" ino=12059959 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=file Apr 3 21:15:14 lain kernel: [ 2143.287849] type=1400 audit(1365016514.390:1262): avc: denied { getattr } for pid=8115 comm="wine" path="/usr/lib64/locale/locale-archive" dev="dm-0" ino=12059959 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=file Apr 3 21:15:14 lain kernel: [ 2143.288253] type=1400 audit(1365016514.390:1263): avc: denied { read } for pid=8115 comm="wine" name="scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file So... what are the policy rules that you think are needed now? From the comments, I gather the following: #v+ allow wine_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow wine_t self:process signal; manage_files_pattern(wine_t, wine_home_t, wine_home_t) manage_dirs_pattern(wine_t, wine_home_t, wine_home_t) allow wine_t wine_tmp_t:sock_file { create setattr getattr write unlink }; corecmd_exec_bin(wine_t) files_read_etc_files(wine_t) #v- From the latest denials, this should probably include the following as well: #v+ allow wine_t self:process { setrlimit getsched }; miscfiles_read_localization(wine_t) #v- policy_module(winerole, 1.0.0) require { type staff_t; role staff_r; type wine_t; type wine_home_t; type wine_tmp_t; type locale_t; } wine_role(staff_r, staff_t) allow wine_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow wine_t self:process signal; manage_files_pattern(wine_t, wine_home_t, wine_home_t) manage_dirs_pattern(wine_t, wine_home_t, wine_home_t) allow wine_t wine_tmp_t:sock_file { create setattr getattr write unlink }; corecmd_exec_bin(wine_t) files_read_etc_files(wine_t) allow wine_t self:process { setrlimit getsched }; miscfiles_read_localization(wine_t) % ls -lZ .wine/dosdevices total 0 lrwxrwxrwx. 1 amade amade staff_u:object_r:wine_home_t 10 Dec 26 20:23 c: -> ../drive_c lrwxrwxrwx. 1 amade amade staff_u:object_r:wine_home_t 10 Jan 22 22:58 d: -> /mnt/cdrom lrwxrwxrwx. 1 amade amade staff_u:object_r:wine_home_t 8 Dec 26 20:23 e:: -> /dev/sdb lrwxrwxrwx. 1 amade amade staff_u:object_r:wine_home_t 1 Dec 26 20:23 z: -> / Enforcing: Apr 11 21:34:59 localhost kernel: [26089.471968] type=1400 audit(1365708899.084:1141): avc: denied { read } for pid=9934 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file Apr 11 21:34:59 localhost kernel: [26089.472046] type=1400 audit(1365708899.084:1142): avc: denied { read } for pid=9934 comm="wine" name="stat" dev="proc" ino=4026532040 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file Apr 11 21:34:59 localhost kernel: [26089.472088] type=1400 audit(1365708899.084:1143): avc: denied { read } for pid=9934 comm="wine" name="cpuinfo" dev="proc" ino=4026532035 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file Apr 11 21:34:59 localhost kernel: [26089.474144] type=1400 audit(1365708899.086:1144): avc: denied { read } for pid=9934 comm="wine" name="scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file Apr 11 21:34:59 localhost kernel: [26089.476191] type=1400 audit(1365708899.088:1145): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file Apr 11 21:34:59 localhost kernel: [26089.476205] type=1400 audit(1365708899.088:1146): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file Apr 11 21:34:59 localhost kernel: [26089.476227] type=1400 audit(1365708899.088:1147): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file Apr 11 21:34:59 localhost kernel: [26089.476238] type=1400 audit(1365708899.088:1148): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file Apr 11 21:34:59 localhost kernel: [26089.476295] type=1400 audit(1365708899.088:1149): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file Apr 11 21:34:59 localhost kernel: [26089.476310] type=1400 audit(1365708899.088:1150): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file Permissive: Apr 11 21:35:24 localhost kernel: [26114.740385] type=1400 audit(1365708924.403:2039): avc: denied { read } for pid=10010 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file Apr 11 21:35:24 localhost kernel: [26114.740400] type=1400 audit(1365708924.403:2040): avc: denied { open } for pid=10010 comm="wine" path="/sys/devices/system/cpu/online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file Apr 11 21:35:24 localhost kernel: [26114.741828] type=1400 audit(1365708924.404:2041): avc: denied { read } for pid=10010 comm="wine" name="scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file Apr 11 21:35:24 localhost kernel: [26114.741842] type=1400 audit(1365708924.404:2042): avc: denied { open } for pid=10010 comm="wine" path="/proc/scsi/scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file Apr 11 21:35:24 localhost kernel: [26114.741863] type=1400 audit(1365708924.404:2043): avc: denied { getattr } for pid=10010 comm="wine" path="/proc/scsi/scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file Apr 11 21:35:24 localhost kernel: [26114.745372] type=1400 audit(1365708924.408:2044): avc: denied { read } for pid=10010 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file Apr 11 21:35:24 localhost kernel: [26114.745489] type=1400 audit(1365708924.408:2045): avc: denied { search } for pid=10010 comm="wine" name="mnt" dev="dm-0" ino=28180481 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:mnt_t tclass=dir Apr 11 21:35:24 localhost kernel: [26114.745500] type=1400 audit(1365708924.408:2046): avc: denied { getattr } for pid=10010 comm="wine" path="/mnt/cdrom" dev="dm-0" ino=28180484 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:mnt_t tclass=dir Apr 11 21:35:24 localhost kernel: [26114.745637] type=1400 audit(1365708924.408:2047): avc: denied { getattr } for pid=10013 comm="wineserver" name="/" dev="dm-0" ino=2 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:fs_t tclass=filesystem |