Bug 389861

Summary: SELinux is preventing X (xdm_xserver_t) "search" to (wine_t).
Product: [Fedora] Fedora Reporter: vfiend
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: ajax
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 14:05:38 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description vfiend 2007-11-18 20:10:35 EST
Note that I am using the nvidia proprietary drivers (sorry), with AIGLX. When
Compiz is running attempting to run a Wine opengl app results in a blank black
screen and an selinux denial, with metacity running instead it works fine.

Summary
    SELinux is preventing X (xdm_xserver_t) "search" to <Unknown> (wine_t).

...

Additional Information        

Source Context                system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
Target Context                system_u:system_r:wine_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     monolith
Platform                      Linux monolith 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
                              22:14:09 EST 2007 x86_64 x86_64
Alert Count                   2
First Seen                    Sun 18 Nov 2007 04:57:30 PM PST
Last Seen                     Sun 18 Nov 2007 04:58:47 PM PST
Local ID                      395e761c-a71d-40b6-960b-a395520fc3e3
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=X dev=proc name=2868 pid=2326
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
tcontext=system_u:system_r:wine_t:s0
Comment 1 Daniel Walsh 2007-11-19 09:59:23 EST
If you run in setenforce 0

Does it work?

Comment 2 vfiend 2007-11-20 04:52:07 EST
Yes, when setting selinux to permissive it worked before.

But I just tried again and I can't reproduce these denials, everything works
fine.. very odd
Comment 3 vfiend 2007-11-25 15:33:22 EST
Okay, actually I'm still getting the xdm_xserver_t "search" to (wine_t) denials
when running 3d windows apps in Wine, but it doesn't seem to actually have any
adverse effects on the applications.
Comment 4 Daniel Walsh 2007-11-26 11:56:11 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-62.fc8
Comment 5 Daniel Walsh 2008-01-30 14:05:38 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.