| Summary: | Launching any wine app causes AVC denial + alert and the app does not run | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tony White <twhite> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 15 | CC: | andreas.bierfert, dominick.grift, dwalsh, gatlinsullivan, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-06-16 11:18:10 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Could you retest? I was just using 1.3.21 on X86_64 and it would work. Wine does not get along well with SELinux due to memory usage. run 'wine notepad' through a terminal to see if any output occurs, sometimes it takes a while with SELinux ( if you don't use SELinux, but you use Wine disable SELinux). wine notepad wine: could not exec wineserver Same AVC denial message. Nothing happens. I updated before hand also (Took the wine update + kernel and rebooted.) I should not need to turn off selinux to run wine. Rather, I would like information about if this AVC denial really is necessary or whether selinux has a pedantic rule for wine which is much too over blown. I actually don't know if wine does do something unsafe by default every time it runs because the AVC denial messages provide what would largely be considered as data instead of information. Are the wine developers aware that they are doing something considered unsafe? I can't use wine at the moment. opengl on sandybridge is terrible here (glx gears stutters) and Starcraft II was the only reason I was trying to use wine. My point remains however, wine does not work out of the box. An almost cryptic alert is produced instead and nothing happens when I try to run apps that ship with wine. I understand that this concerns security (selinux) but it undermines user experience and makes Fedora appear inferior to everything else where wine at least "Just works" straight after it is installed. As it should do. All you need to do is toggle a boolean to enable this functionality: setsebool -P mmap_low_allowed on Not all wine apps need this only the older ones (at least so i have been told) Also the plugin tells you what to do. Sorry. You just do not understand what is being reported here. [tony@localhost ~]$ wine wine file wine: could not exec wineserver [tony@localhost ~]$ wine regedit wine: could not exec wineserver [tony@localhost ~]$ wine wordpad wine: could not exec wineserver [tony@localhost ~]$ wine notepad wine: could not exec wineserver So a good chunk of wine's built in apps do not run. And the AVC denial dialog is confusing. It asks questions. If you want? If you do not think? If you want to control? A normal user will not understand that they need to open a console and do : su -c 'setsebool -P mmap_low_allowed on' They are just told that setsebool -P mmap_low_allowed on is their solution. There are too many questions that a normal user does not have the information to answer, when all they want to do is run a windows binary that shipped with the software they just installed. It is policies like this and confusing dialogs which force users to turn selinux off entirely. If deliberately obstructing the use of wine in Fedora was intended, you have succeeded. Well running wine in this mode opens you to potential kernel attacks, which is why we deny it by default. You should also need DAC permissions turned off to run wine apps without this priv. Memory Mapping address spaces down around zero has been a common bug in the kernel and can lead to root exploits. |
Created attachment 503776 [details] AVC DENIAL Description of problem: Bundled wine apps like notepad and wine wordpad fail to start Version-Release number of selected component (if applicable): Name : wine Arch : x86_64 Version : 1.3.20 Release : 1.fc15 How reproducible: Every time Steps to Reproduce: 1. su -c 'yum install wine' 2. notepad 3. Actual results: wine: could not exec wineserver An svc SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect Unknown. Expected results: notepad is launched Additional info: Please see attached