This is on x86_64 but using the i386 version of wine! To reproduce download the latest wine rpms for FC4 from www.wineHQ.com (0.9.2), and install. Download DCOM98.EXE (this legally requires a windows license to run!) : wget http://download.microsoft.com/download/d/1/3/d13cd456-f0cf-4fb2-a17f-20afc79f8a51/DCOM98.EXE Now try to install it: WINEDLLOVERRIDES="ole32=n" wine DCOM98.EXE It fails with a debug trace, interesting stuff is realy in /var/log/audit: 4041): avc: denied { execmod } for pid=8547 comm="wine-preloader" name="DCOM98.EXE" dev=dm-1 ino=3113147 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file 4041): arch=40000003 syscall=125 success=no exit=-13 a0=1001000 a1=9000 a2=5 a3=1001000 items=0 pid=8547 auid=4294967295 uid=500 gid=500 euid=500 egid=500 sgid=500 fsgid=500 comm="wine-preloader" exe="/usr/bin/wine-preloader" Doing: chcon -t textrel_shlib_t ~hans/DCOM98.EXE causes it to get a bit further, DCOM98.EXE is a self extracting and running setup executable, the extracted executables from the archive however ofcourse don't have the textrel_shlib_t type and thus it fails a bit further when trying to execute install.exe: 4863): avc: denied { execmod } for pid=9144 comm="wine-preloader" name="install.exe" dev=dm-1 ino=3276919 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file 4863): arch=40000003 syscall=125 success=no exit=-13 a0=1001000 a1=b000 a2=5 a3=1001000 items=0 pid=9144 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="wine-preloader" exe="/usr/bin/wine-preloader" Hope this is enough info for you to fix it.
Try turning on allow_execmod boolean setsebool -P allow_execmod=1
That works, which is strange because inspired by a bugzilla query I did: for i in `rpm -ql wine|grep /bin`; do chcon -t java_exec_t $i; done And java needs allow_execmod too right? Anyways yes that works.
No it allows execmem. We need a better solution for wine, but this works for now.
Erm, if we need a better solution then how is this not a bug? Also since wine is in extras now (see bug 171526), this is a real problem since the targeted policy is enabled by default now a days and one would expect wine from FE to work out of the box. Reopening.
Actually if you want to run execmod applications in your homedir you need to set allow_execmod. If you want the exe labeled correctly they should be installed in /usr/lib/wine directory as a .s0 file. They you could restorecon -R /usr/lib/wine To set them up correctly. If they do not work labeled as .so I could add a file_context match on \*.exe
Daniel Walsh wrote: > Actually if you want to run execmod applications in your homedir you need to set allow_execmod. What I want is a wine which works out of the box with the targeted policy. Isn't it possible to create a type for the wine binaries so that they are allowed todo execmod on any file? Just like java is given a type which allows it to always do execmem.
Yes. Do you know if wine needs execmem?
Well it works with the default targeted policy after doing the "setsebool -P allow_execmod=1" so I guess it doesn't need execmem.
Where are we on this one? Anything new or anything I should test/check?
Latest policy should be working. selinux-policy-targeted-2.1.13-1