| Summary: | can't run wine on -9999 policies | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Amadeusz Sławiński <amade> |
| Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
| Status: | UNCONFIRMED --- | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
I think behaviour was changed with this commit: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commitdiff;h=73600f7dad522a0d5fca9a68d3d32e51e05b4a23 After adding policy_module(winerole, 1.0.0) require { type staff_t; role staff_r; } wine_role(staff_r, staff_t) It can access .wine but still can't start % wine notepad wine: could not exec the wine loader But I can cd into ~/.wine now Enforcing: Jan 20 16:54:49 lain kernel: [ 3368.846604] type=1400 audit(1358697289.639:400): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846633] type=1400 audit(1358697289.639:401): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846655] type=1400 audit(1358697289.639:402): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846676] type=1400 audit(1358697289.639:403): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846697] type=1400 audit(1358697289.639:404): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846718] type=1400 audit(1358697289.639:405): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846738] type=1400 audit(1358697289.639:406): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846759] type=1400 audit(1358697289.639:407): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Jan 20 16:54:49 lain kernel: [ 3368.846779] type=1400 audit(1358697289.639:408): avc: denied { search } for pid=32748 comm="wine" name="bin" dev="dm-0" ino=12058934 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:bin_t tclass=dir Permissive: Jan 20 16:55:11 lain kernel: [ 3390.879784] type=1400 audit(1358697311.716:446): avc: denied { setrlimit } for pid=527 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Jan 20 16:55:11 lain kernel: [ 3390.881942] type=1400 audit(1358697311.718:447): avc: denied { create } for pid=527 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=unix_stream_socket Jan 20 16:55:11 lain kernel: [ 3390.881982] type=1400 audit(1358697311.718:448): avc: denied { connect } for pid=527 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=unix_stream_socket Jan 20 16:55:11 lain kernel: [ 3390.882189] type=1400 audit(1358697311.718:449): avc: denied { read } for pid=527 comm="wine" name="nsswitch.conf" dev="dm-0" ino=7616981 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:etc_t tclass=file Jan 20 16:55:11 lain kernel: [ 3390.882210] type=1400 audit(1358697311.718:450): avc: denied { open } for pid=527 comm="wine" path="/etc/nsswitch.conf" dev="dm-0" ino=7616981 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:etc_t tclass=file Jan 20 16:55:11 lain kernel: [ 3390.882253] type=1400 audit(1358697311.718:451): avc: denied { getattr } for pid=527 comm="wine" path="/etc/nsswitch.conf" dev="dm-0" ino=7616981 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:etc_t tclass=file Jan 20 16:55:11 lain kernel: [ 3390.883297] type=1400 audit(1358697311.719:452): avc: denied { getattr } for pid=527 comm="wine" path="/home/amade/.wine" dev="dm-0" ino=21890026 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:11 lain kernel: [ 3390.883388] type=1400 audit(1358697311.719:453): avc: denied { search } for pid=527 comm="wine" name=".wine" dev="dm-0" ino=21890026 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:11 lain kernel: [ 3390.883525] type=1400 audit(1358697311.719:454): avc: denied { getattr } for pid=527 comm="wine" path="/tmp/.wine-1000/server-fd00-14e03ea" dev="dm-0" ino=10756709 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.936055] type=1400 audit(1358697318.786:527): avc: denied { signal } for pid=532 comm="wineserver" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process Jan 20 16:55:18 lain kernel: [ 3397.937921] type=1400 audit(1358697318.788:528): avc: denied { write } for pid=532 comm="wineserver" name=".wine" dev="dm-0" ino=21890026 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.937931] type=1400 audit(1358697318.788:529): avc: denied { add_name } for pid=532 comm="wineserver" name="reg2140000.tmp" scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.937951] type=1400 audit(1358697318.788:530): avc: denied { create } for pid=532 comm="wineserver" name="reg2140000.tmp" scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 20 16:55:18 lain kernel: [ 3397.959648] type=1400 audit(1358697318.809:531): avc: denied { remove_name } for pid=532 comm="wineserver" name="reg2140000.tmp" dev="dm-0" ino=21892350 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.959658] type=1400 audit(1358697318.809:532): avc: denied { rename } for pid=532 comm="wineserver" name="reg2140000.tmp" dev="dm-0" ino=21892350 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 20 16:55:18 lain kernel: [ 3397.959674] type=1400 audit(1358697318.809:533): avc: denied { unlink } for pid=532 comm="wineserver" name="system.reg" dev="dm-0" ino=21889746 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 20 16:55:18 lain kernel: [ 3397.966707] type=1400 audit(1358697318.817:534): avc: denied { remove_name } for pid=532 comm="wineserver" name="socket" dev="dm-0" ino=10756711 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Jan 20 16:55:18 lain kernel: [ 3397.966724] type=1400 audit(1358697318.817:535): avc: denied { unlink } for pid=532 comm="wineserver" name="socket" dev="dm-0" ino=10756711 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:user_tmp_t tclass=sock_file Can you try with (and expand as necessary) the following? Looks like the upstream change is indeed not that ready yet...
"""
allow wine_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow wine_t self:process signal;
manage_files_pattern(wine_t, wine_home_t, wine_home_t)
manage_dirs_pattern(wine_t, wine_home_t, wine_home_t)
corecmd_exec_bin(wine_t)
files_read_etc_files(wine_t)
"""
This one got a bit of my list of things, but here I'm again.
With:
policy_module(winerole, 1.0.0)
require {
type staff_t;
role staff_r;
type wine_t;
type wine_home_t;
type wine_tmp_t;
type locale_t;
}
wine_role(staff_r, staff_t)
allow wine_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow wine_t self:process signal;
manage_files_pattern(wine_t, wine_home_t, wine_home_t)
manage_dirs_pattern(wine_t, wine_home_t, wine_home_t)
corecmd_exec_bin(wine_t)
files_read_etc_files(wine_t)
wine notepad.exe command gives in enforcing:
Apr 3 21:08:25 lain kernel: [ 1735.497832] type=1400 audit(1365016105.791:188): avc: denied { setrlimit } for pid=6966 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process
Apr 3 21:08:26 lain kernel: [ 1735.791843] type=1400 audit(1365016106.085:189): avc: denied { create } for pid=6969 comm="wineserver" name="socket" scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file
In permissive:
Apr 3 21:11:11 lain kernel: [ 1900.505416] type=1400 audit(1365016271.126:263): avc: denied { setrlimit } for pid=7465 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process
Apr 3 21:11:11 lain kernel: [ 1900.508781] type=1400 audit(1365016271.129:264): avc: denied { getattr } for pid=7465 comm="wine" path="/tmp/.wine-1000/server-fc00-14e03ea/socket" dev="dm-0" ino=11010154 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file
Apr 3 21:11:11 lain kernel: [ 1900.508850] type=1400 audit(1365016271.129:265): avc: denied { write } for pid=7465 comm="wine" name="socket" dev="dm-0" ino=11010154 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file
Apr 3 21:11:11 lain kernel: [ 1900.611879] type=1400 audit(1365016271.232:266): avc: denied { unlink } for pid=7468 comm="wineserver" name="socket" dev="dm-0" ino=11010154 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file
Apr 3 21:11:11 lain kernel: [ 1900.611940] type=1400 audit(1365016271.232:267): avc: denied { create } for pid=7468 comm="wineserver" name="socket" scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file
Apr 3 21:11:11 lain kernel: [ 1900.611987] type=1400 audit(1365016271.232:268): avc: denied { setattr } for pid=7468 comm="wineserver" name="socket" dev="dm-0" ino=11010154 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_tmp_t tclass=sock_file
Apr 3 21:11:11 lain kernel: [ 1900.666633] type=1400 audit(1365016271.287:269): avc: denied { getsched } for pid=7468 comm="wineserver" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process
Apr 3 21:11:11 lain kernel: [ 1900.666820] type=1400 audit(1365016271.287:270): avc: denied { read } for pid=7465 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file
Apr 3 21:11:11 lain kernel: [ 1900.666833] type=1400 audit(1365016271.287:271): avc: denied { open } for pid=7465 comm="wine" path="/sys/devices/system/cpu/online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file
Apr 3 21:11:11 lain kernel: [ 1900.667769] type=1400 audit(1365016271.288:272): avc: denied { read } for pid=7465 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file
After additionally allowing:
allow wine_t wine_tmp_t:sock_file { create setattr getattr write unlink };
Enforcing:
Apr 3 21:12:51 lain kernel: [ 2000.659511] type=1400 audit(1365016371.479:332): avc: denied { setrlimit } for pid=7789 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process
Apr 3 21:12:51 lain kernel: [ 2000.719425] type=1400 audit(1365016371.539:333): avc: denied { getsched } for pid=7792 comm="wineserver" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process
Apr 3 21:12:51 lain kernel: [ 2000.719592] type=1400 audit(1365016371.539:334): avc: denied { read } for pid=7789 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file
Apr 3 21:12:51 lain kernel: [ 2000.719636] type=1400 audit(1365016371.539:335): avc: denied { read } for pid=7789 comm="wine" name="stat" dev="proc" ino=4026532040 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file
Apr 3 21:12:51 lain kernel: [ 2000.719655] type=1400 audit(1365016371.539:336): avc: denied { read } for pid=7789 comm="wine" name="cpuinfo" dev="proc" ino=4026532035 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file
Apr 3 21:12:51 lain kernel: [ 2000.720658] type=1400 audit(1365016371.540:337): avc: denied { read } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file
Apr 3 21:12:51 lain kernel: [ 2000.720693] type=1400 audit(1365016371.540:338): avc: denied { search } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12069406 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:locale_t tclass=dir
Apr 3 21:12:51 lain kernel: [ 2000.720726] type=1400 audit(1365016371.540:339): avc: denied { read } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file
Apr 3 21:12:51 lain kernel: [ 2000.720741] type=1400 audit(1365016371.540:340): avc: denied { read } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file
Apr 3 21:12:51 lain kernel: [ 2000.720754] type=1400 audit(1365016371.540:341): avc: denied { read } for pid=7789 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file
Permissive:
Apr 3 21:15:14 lain kernel: [ 2143.224284] type=1400 audit(1365016514.326:1254): avc: denied { setrlimit } for pid=8115 comm="wine" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process
Apr 3 21:15:14 lain kernel: [ 2143.286672] type=1400 audit(1365016514.389:1255): avc: denied { getsched } for pid=8118 comm="wineserver" scontext=staff_u:staff_r:wine_t tcontext=staff_u:staff_r:wine_t tclass=process
Apr 3 21:15:14 lain kernel: [ 2143.286838] type=1400 audit(1365016514.389:1256): avc: denied { read } for pid=8115 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file
Apr 3 21:15:14 lain kernel: [ 2143.286850] type=1400 audit(1365016514.389:1257): avc: denied { open } for pid=8115 comm="wine" path="/sys/devices/system/cpu/online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file
Apr 3 21:15:14 lain kernel: [ 2143.287796] type=1400 audit(1365016514.390:1258): avc: denied { read } for pid=8115 comm="wine" name="locale" dev="dm-0" ino=12058633 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=lnk_file
Apr 3 21:15:14 lain kernel: [ 2143.287816] type=1400 audit(1365016514.390:1259): avc: denied { search } for pid=8115 comm="wine" name="locale" dev="dm-0" ino=12071458 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:locale_t tclass=dir
Apr 3 21:15:14 lain kernel: [ 2143.287831] type=1400 audit(1365016514.390:1260): avc: denied { read } for pid=8115 comm="wine" name="locale-archive" dev="dm-0" ino=12059959 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=file
Apr 3 21:15:14 lain kernel: [ 2143.287839] type=1400 audit(1365016514.390:1261): avc: denied { open } for pid=8115 comm="wine" path="/usr/lib64/locale/locale-archive" dev="dm-0" ino=12059959 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=file
Apr 3 21:15:14 lain kernel: [ 2143.287849] type=1400 audit(1365016514.390:1262): avc: denied { getattr } for pid=8115 comm="wine" path="/usr/lib64/locale/locale-archive" dev="dm-0" ino=12059959 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:locale_t tclass=file
Apr 3 21:15:14 lain kernel: [ 2143.288253] type=1400 audit(1365016514.390:1263): avc: denied { read } for pid=8115 comm="wine" name="scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file
So... what are the policy rules that you think are needed now?
From the comments, I gather the following:
#v+
allow wine_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow wine_t self:process signal;
manage_files_pattern(wine_t, wine_home_t, wine_home_t)
manage_dirs_pattern(wine_t, wine_home_t, wine_home_t)
allow wine_t wine_tmp_t:sock_file { create setattr getattr write unlink };
corecmd_exec_bin(wine_t)
files_read_etc_files(wine_t)
#v-
From the latest denials, this should probably include the following as well:
#v+
allow wine_t self:process { setrlimit getsched };
miscfiles_read_localization(wine_t)
#v-
policy_module(winerole, 1.0.0)
require {
type staff_t;
role staff_r;
type wine_t;
type wine_home_t;
type wine_tmp_t;
type locale_t;
}
wine_role(staff_r, staff_t)
allow wine_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow wine_t self:process signal;
manage_files_pattern(wine_t, wine_home_t, wine_home_t)
manage_dirs_pattern(wine_t, wine_home_t, wine_home_t)
allow wine_t wine_tmp_t:sock_file { create setattr getattr write unlink };
corecmd_exec_bin(wine_t)
files_read_etc_files(wine_t)
allow wine_t self:process { setrlimit getsched };
miscfiles_read_localization(wine_t)
% ls -lZ .wine/dosdevices
total 0
lrwxrwxrwx. 1 amade amade staff_u:object_r:wine_home_t 10 Dec 26 20:23 c: -> ../drive_c
lrwxrwxrwx. 1 amade amade staff_u:object_r:wine_home_t 10 Jan 22 22:58 d: -> /mnt/cdrom
lrwxrwxrwx. 1 amade amade staff_u:object_r:wine_home_t 8 Dec 26 20:23 e:: -> /dev/sdb
lrwxrwxrwx. 1 amade amade staff_u:object_r:wine_home_t 1 Dec 26 20:23 z: -> /
Enforcing:
Apr 11 21:34:59 localhost kernel: [26089.471968] type=1400 audit(1365708899.084:1141): avc: denied { read } for pid=9934 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file
Apr 11 21:34:59 localhost kernel: [26089.472046] type=1400 audit(1365708899.084:1142): avc: denied { read } for pid=9934 comm="wine" name="stat" dev="proc" ino=4026532040 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file
Apr 11 21:34:59 localhost kernel: [26089.472088] type=1400 audit(1365708899.084:1143): avc: denied { read } for pid=9934 comm="wine" name="cpuinfo" dev="proc" ino=4026532035 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file
Apr 11 21:34:59 localhost kernel: [26089.474144] type=1400 audit(1365708899.086:1144): avc: denied { read } for pid=9934 comm="wine" name="scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file
Apr 11 21:34:59 localhost kernel: [26089.476191] type=1400 audit(1365708899.088:1145): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file
Apr 11 21:34:59 localhost kernel: [26089.476205] type=1400 audit(1365708899.088:1146): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file
Apr 11 21:34:59 localhost kernel: [26089.476227] type=1400 audit(1365708899.088:1147): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file
Apr 11 21:34:59 localhost kernel: [26089.476238] type=1400 audit(1365708899.088:1148): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file
Apr 11 21:34:59 localhost kernel: [26089.476295] type=1400 audit(1365708899.088:1149): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file
Apr 11 21:34:59 localhost kernel: [26089.476310] type=1400 audit(1365708899.088:1150): avc: denied { read } for pid=9934 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file
Permissive:
Apr 11 21:35:24 localhost kernel: [26114.740385] type=1400 audit(1365708924.403:2039): avc: denied { read } for pid=10010 comm="wine" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file
Apr 11 21:35:24 localhost kernel: [26114.740400] type=1400 audit(1365708924.403:2040): avc: denied { open } for pid=10010 comm="wine" path="/sys/devices/system/cpu/online" dev="sysfs" ino=36 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:sysfs_t tclass=file
Apr 11 21:35:24 localhost kernel: [26114.741828] type=1400 audit(1365708924.404:2041): avc: denied { read } for pid=10010 comm="wine" name="scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file
Apr 11 21:35:24 localhost kernel: [26114.741842] type=1400 audit(1365708924.404:2042): avc: denied { open } for pid=10010 comm="wine" path="/proc/scsi/scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file
Apr 11 21:35:24 localhost kernel: [26114.741863] type=1400 audit(1365708924.404:2043): avc: denied { getattr } for pid=10010 comm="wine" path="/proc/scsi/scsi" dev="proc" ino=4026531968 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:proc_t tclass=file
Apr 11 21:35:24 localhost kernel: [26114.745372] type=1400 audit(1365708924.408:2044): avc: denied { read } for pid=10010 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:wine_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file
Apr 11 21:35:24 localhost kernel: [26114.745489] type=1400 audit(1365708924.408:2045): avc: denied { search } for pid=10010 comm="wine" name="mnt" dev="dm-0" ino=28180481 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:mnt_t tclass=dir
Apr 11 21:35:24 localhost kernel: [26114.745500] type=1400 audit(1365708924.408:2046): avc: denied { getattr } for pid=10010 comm="wine" path="/mnt/cdrom" dev="dm-0" ino=28180484 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:mnt_t tclass=dir
Apr 11 21:35:24 localhost kernel: [26114.745637] type=1400 audit(1365708924.408:2047): avc: denied { getattr } for pid=10013 comm="wineserver" name="/" dev="dm-0" ino=2 scontext=staff_u:staff_r:wine_t tcontext=system_u:object_r:fs_t tclass=filesystem
|
[ebuild R ] app-emulation/wine-1.5.21 USE="X alsa cups gecko jpeg mono mp3 ncurses nls opengl oss perl png (selinux) ssl threads truetype v4l win32 win64 xinerama -capi -custom-cflags -fontconfig -gnutls -gphoto2 -gsm (-gstreamer) -lcms -ldap -odbc -openal -opencl -osmesa (-prelink) -pulseaudio -samba -scanner {-test} -udisks -xcomposite -xml" 0 kB I also tried toggling wine_mmap_zero_ignore, which changes nothing Enforcing: % id -Z staff_u:staff_r:staff_t % wine notepad.exe wine: cannot open /home/amade/.wine : Permission denied Jan 19 21:20:42 lain kernel: [15665.659485] type=1400 audit(1358626842.439:246): avc: denied { mmap_zero } for pid=18715 comm="wine-preloader" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:staff_t tclass=memprotect Permissive: Jan 19 21:21:36 lain kernel: [15719.159319] type=1400 audit(1358626896.045:249): avc: denied { mmap_zero } for pid=18786 comm="wine-preloader" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:staff_t tclass=memprotect Jan 19 21:21:36 lain kernel: [15719.163643] type=1400 audit(1358626896.050:250): avc: denied { read } for pid=18789 comm="wineserver" name="system.reg" dev="dm-0" ino=21892294 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 19 21:21:36 lain kernel: [15719.163656] type=1400 audit(1358626896.050:251): avc: denied { open } for pid=18789 comm="wineserver" path="/home/amade/.wine/system.reg" dev="dm-0" ino=21892294 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 19 21:21:36 lain kernel: [15719.224261] type=1400 audit(1358626896.110:252): avc: denied { read } for pid=18786 comm="wine" name="c:" dev="dm-0" ino=21890029 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=lnk_file Jan 19 21:21:36 lain kernel: [15719.272851] type=1400 audit(1358626896.159:253): avc: denied { read } for pid=13835 comm="X" name="cmdline" dev="proc" ino=2764969 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:staff_t tclass=file Jan 19 21:21:36 lain kernel: [15719.272868] type=1400 audit(1358626896.159:254): avc: denied { open } for pid=13835 comm="X" path="/proc/18793/cmdline" dev="proc" ino=2764969 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:staff_t tclass=file Jan 19 21:21:36 lain kernel: [15719.290340] type=1400 audit(1358626896.177:255): avc: denied { write } for pid=18791 comm="wineboot.exe" name=".update-timestamp" dev="dm-0" ino=21890035 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 19 21:21:42 lain kernel: [15725.883606] type=1400 audit(1358626902.783:256): avc: denied { write } for pid=18789 comm="wineserver" name=".wine" dev="dm-0" ino=21890026 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 19 21:21:42 lain kernel: [15725.883616] type=1400 audit(1358626902.783:257): avc: denied { add_name } for pid=18789 comm="wineserver" name="reg49650000.tmp" scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 19 21:21:42 lain kernel: [15725.883655] type=1400 audit(1358626902.783:258): avc: denied { create } for pid=18789 comm="wineserver" name="reg49650000.tmp" scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 19 21:21:42 lain kernel: [15725.905769] type=1400 audit(1358626902.805:259): avc: denied { remove_name } for pid=18789 comm="wineserver" name="reg49650000.tmp" dev="dm-0" ino=21889746 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=dir Jan 19 21:21:42 lain kernel: [15725.905780] type=1400 audit(1358626902.805:260): avc: denied { rename } for pid=18789 comm="wineserver" name="reg49650000.tmp" dev="dm-0" ino=21889746 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=file Jan 19 21:21:42 lain kernel: [15725.905787] type=1400 audit(1358626902.805:261): avc: denied { unlink } for pid=18789 comm="wineserver" name="system.reg" dev="dm-0" ino=21892294 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:wine_home_t tclass=file Reproducible: Always # emerge --info Portage 2.1.11.43 (hardened/linux/amd64/selinux, gcc-4.6.3, glibc-2.16.0, 3.7.1-hardened-r2 x86_64) ================================================================= System uname: Linux-3.7.1-hardened-r2-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.2 KiB Mem: 2999092 total, 777032 free KiB Swap: 3145724 total, 3120372 free Timestamp of tree: Wed, 16 Jan 2013 20:00:01 +0000 ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p42 dev-lang/python: 2.7.3-r3, 3.2.3-r2 dev-util/cmake: 2.8.10.2-r1 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.13.1 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.16.0 Repositories: gentoo x11 hardened-dev my_local_overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 PUEL skype-4.0.0.7-copyright google-talkplugin" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -march=native -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O3 -march=native -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/x11 /var/lib/layman/hardened-development /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acpi alsa amd64 bash-completion berkdb bluetooth bzip2 cli cracklib crypt cups cxx dri dvd gdbm gif gpm hardened iconv icu ipv6 jpeg jpeg2k justify mmx mng modules mp3 mudflap multilib ncurses nls nptl open_perms opengl openmp pam pax_kernel pcre png pppd readline selinux session sse sse2 sse4_1 sse4_2 ssl ssse3 tcpd tiff unicode urandom usb v4l vaapi vdpau vim-syntax wacom xattr xft xinerama zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB pl" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="x86_64 ppc" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON