Bug 2297337

Summary: SELinux is preventing wine-preloader from using the 'execheap' accesses on a process.
Product: [Fedora] Fedora Reporter: Zlatko Duric <zladuric>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 39CC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zladuric, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:1cb53da229f699b9195cecf3fc3781125cbc9c2d82b66b66d818e35e88df6389;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-11 17:26:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: description
none
File: os_info none

Description Zlatko Duric 2024-07-11 15:54:35 UTC 
Description of problem:
I upgraded to F40, and switched to KDE at the same time.

Now I have this problem, keyboard is not working in Lutris (wows) app, nor in Chrome. The fun part is, Chrome sometimes takes keyboard input, but then it stops and I have to reboot.

The game though, not at all.
SELinux is preventing wine-preloader from using the 'execheap' accesses on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

Sie nicht glauben, dass wine-preloader auf Heap-Speicher verweisen sollte, der sowohl beschreibbar als auch ausführbar ist.
Then sie müssen einen Fehlerbereicht einreichen. Dies ist ein möglicherweise gewährlicher Zugriff.
Do
setzen Sie sich mit Ihrem Sicherheitsadministrator in Verbindung und melden Sie dieses Problem.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

Sie folgendes tun möchten: allow selinuxuser to execheap
Then sie müssen SELinux darüber benachrichtigen, indem Sie die \tboolesche Variable »selinuxuser_execheap« aktivieren.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

Wenn Sie denken, dass es wine-preloader standardmäßig erlaubt sein sollte, execheap Zugriff auf unconfined_t Prozesse zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader
# semodule -X 300 -i my-winepreloader.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        wine-preloader
Source Path                   wine-preloader
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-39.7-1.fc39.noarch
Local Policy RPM              selinux-policy-targeted-39.7-1.fc39.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.9.7-100.fc39.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jun 27 18:06:32 UTC 2024
                              x86_64
Alert Count                   15
First Seen                    2024-07-10 16:09:03 CEST
Last Seen                     2024-07-11 17:40:17 CEST
Local ID                      dcb4dec8-4f47-43b7-8d26-68414f8c28a0

Raw Audit Messages
type=AVC msg=audit(1720712417.163:687): avc:  denied  { execheap } for  pid=695052 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap

Version-Release number of selected component:
selinux-policy-targeted-39.7-1.fc39.noarch

Additional info:
reporter:       libreport-2.17.11
reason:         SELinux is preventing wine-preloader from using the 'execheap' accesses on a process.
package:        selinux-policy-targeted-39.7-1.fc39.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.9.7-100.fc39.x86_64
component:      selinux-policy
Comment 1 Zlatko Duric 2024-07-11 15:54:38 UTC 
Created attachment 2039435 [details]
File: description
Comment 2 Zlatko Duric 2024-07-11 15:54:39 UTC 
Created attachment 2039436 [details]
File: os_info
Comment 3 Zdenek Pytela 2024-07-11 17:26:41 UTC 

*** This bug has been marked as a duplicate of bug 2254434 ***