Description of problem: ❯ ps -AT o pid,tid,exe:1000,comm:1000,command:1000 |grep -i wine 37835 37835 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader steam.exe c:\windows\system32\steam.exe /home/mikhail/.local/share/Steam/legacycompat/iscriptevaluator.exe legacycompat\evaluatorscript_1259420.vdf 37837 37837 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wineserver wineserver /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wineserver 37841 37841 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader services.exe C:\windows\system32\services.exe 37841 37842 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_ser C:\windows\system32\services.exe 37841 37845 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_io C:\windows\system32\services.exe 37841 37849 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_io C:\windows\system32\services.exe 37841 37855 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_io C:\windows\system32\services.exe 37841 37858 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_io C:\windows\system32\services.exe 37841 37868 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_io C:\windows\system32\services.exe 37841 37874 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_io C:\windows\system32\services.exe 37841 37879 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader services.exe C:\windows\system32\services.exe 37841 37892 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_io C:\windows\system32\services.exe 37844 37844 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37844 37847 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37844 37848 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_sechost_se C:\windows\system32\winedevice.exe 37844 37850 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37844 37851 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37844 37852 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37844 37877 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37844 37878 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37854 37854 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37854 37856 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37854 37857 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_sechost_se C:\windows\system32\winedevice.exe 37854 37859 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37854 37860 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader libusb_event C:\windows\system32\winedevice.exe 37854 37861 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37854 37862 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37854 37863 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37854 37865 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader winedevice.exe C:\windows\system32\winedevice.exe 37867 37867 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader plugplay.exe C:\windows\system32\plugplay.exe 37867 37869 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader plugplay.exe C:\windows\system32\plugplay.exe 37867 37870 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_sechost_se C:\windows\system32\plugplay.exe 37867 37871 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_ser C:\windows\system32\plugplay.exe 37873 37873 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader svchost.exe C:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted 37873 37875 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader svchost.exe C:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted 37873 37876 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_sechost_se C:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted 37881 37881 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader conhost.exe C:\windows\system32\conhost.exe --unix --width 238 --height 53 --server 0x10 37883 37883 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader explorer.exe C:\windows\system32\explorer.exe /desktop 37883 37887 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader explorer.exe C:\windows\system32\explorer.exe /desktop 37883 37888 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_ser C:\windows\system32\explorer.exe /desktop 37891 37891 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader rpcss.exe C:\windows\system32\rpcss.exe 37891 37894 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader rpcss.exe C:\windows\system32\rpcss.exe 37891 37895 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_sechost_se C:\windows\system32\rpcss.exe 37891 37896 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_ser C:\windows\system32\rpcss.exe 37891 37897 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_ser C:\windows\system32\rpcss.exe 37891 37898 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_io C:\windows\system32\rpcss.exe 37901 37901 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader tabtip.exe C:\windows\system32\tabtip.exe 37901 37905 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader wine_rpcrt4_ser C:\windows\system32\tabtip.exe 37901 37906 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader tabtip.exe C:\windows\system32\tabtip.exe 37901 37910 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader tabtip.exe C:\windows\system32\tabtip.exe 37908 37908 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader iscriptevaluato Z:\home\mikhail\.local\share\Steam\legacycompat\iscriptevaluator.exe legacycompat\evaluatorscript_1259420.vdf 37913 37913 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader SteamService.ex legacycompat\SteamService.exe /installscript Z:\home\mikhail\.local\share\Steam\steamapps\common\Steamworks Shared\runasadmin.vdf 228980 37915 37915 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine64-preloader conhost.exe C:\windows\system32\conhost.exe --server 0x34 38115 38115 /home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader DXSETUP.exe Z:\home\mikhail\.local\share\Steam\steamapps\common\Steamworks Shared\_CommonRedist\DirectX\Jun2010\DXSETUP.exe /silent 38118 38118 /usr/bin/grep grep grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox -i wine SELinux is preventing wine-preloader from using the 'execheap' accesses on a process. ***** Plugin allow_execheap (53.1 confidence) suggests ******************** If you do not think wine-preloader should need to map heap memory that is both writable and executable. Then you need to report a bug. This is a potentially dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow selinuxuser to execheap Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean. Do setsebool -P selinuxuser_execheap 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If you believe that wine-preloader should be allowed execheap access on processes labeled unconfined_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader # semodule -X 300 -i my-winepreloader.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Target Objects Unknown [ process ] Source wine-preloader Source Path wine-preloader Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.4-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.4-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.6.0-61.fc40.x86_64+debug #1 SMP PREEMPT_DYNAMIC Mon Oct 30 11:40:06 UTC 2023 x86_64 Alert Count 108 First Seen 2023-10-16 03:08:29 +05 Last Seen 2023-10-31 23:36:24 +05 Local ID 12ea481c-80a4-4393-af0d-e9f7d9865461 Raw Audit Messages type=AVC msg=audit(1698777384.891:397): avc: denied { execheap } for pid=37924 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap Version-Release number of selected component: selinux-policy-targeted-40.4-1.fc40.noarch Additional info: reporter: libreport-2.17.11 reason: SELinux is preventing wine-preloader from using the 'execheap' accesses on a process. package: selinux-policy-targeted-40.4-1.fc40.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.6.0-61.fc40.x86_64+debug component: selinux-policy
Created attachment 1996408 [details] File: description
Created attachment 1996409 [details] File: os_info
The Linux implementation of mprotect (unlike POSIX) allows changing the access protection of memory on the heap, e. g. allocated using malloc. This AVC denial indicates that heap memory was supposed to be made executable. While the permission can be granted turning the selinuxuser_execheap boolean on as suggested by setroubleshoot, it should not be done without a thorough code review as in most cases it indicates a bug in the code. If anonymous executable memory is needed, another method should be considered, e. g. allocating memory using mmap. Please refer to the boolean description: # semanage boolean -l|grep execheap selinuxuser_execheap (off , off) Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla Switching the component to wine for further assessment.
*** Bug 2252261 has been marked as a duplicate of this bug. ***
*** Bug 2236622 has been marked as a duplicate of this bug. ***
Possible duplicates: bug 2247300, bug 2247309.
*** Bug 2252649 has been marked as a duplicate of this bug. ***
*** Bug 2247300 has been marked as a duplicate of this bug. ***
*** Bug 2247309 has been marked as a duplicate of this bug. ***
Alright... On F39, launching a game via Proton 8.0-4 (Steam) or merely running winecfg (Wine 8.19) is enough to produce an execheap alert roughly every other time. At this point I don't recall which was the last version of Wine I ran on F38, but Proton 8.0-4 used to work just fine.
This probably has the same cause as bug 2252391 (see https://bugzilla.redhat.com/show_bug.cgi?id=2252391#c16).
*** Bug 2254143 has been marked as a duplicate of this bug. ***
*** Bug 2254150 has been marked as a duplicate of this bug. ***
*** Bug 2254170 has been marked as a duplicate of this bug. ***
Bug 2252391 should now be fixed in rawhide since kernel-6.7.0-0.rc5.20231217git3b8a9b2e6809.47.fc40 - can someone test with the latest rawhide kernel if this bug was also fixed?
It seem to be fixed already in kernel-6.6.7-200.fc39.x86_64. Do you still like us to check the rawhide kernel anyway?
It still not fixed in Rawhide root@primary-ws ~# semanage boolean -l|grep execheap selinuxuser_execheap (off , off) Allow selinuxuser to execheap root@primary-ws ~# uname -r 6.7.0-0.rc6.20231220git55cb5f43689d.50.fc40.x86_64+debug root@primary-ws ~ [1]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts yesterday ---- type=PROCTITLE msg=audit(12/21/2023 02:44:52.178:351) : proctitle=/home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader /home/mikhail/.local/share/Stea type=SYSCALL msg=audit(12/21/2023 02:44:52.178:351) : arch=i386 syscall=mprotect success=yes exit=0 a0=0x7ffff000 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=0x2 items=0 ppid=30206 pid=30305 auid=mikhail uid=mikhail gid=mikhail euid=mikhail suid=mikhail fsuid=mikhail egid=mikhail sgid=mikhail fsgid=mikhail tty=(none) ses=3 comm=wine-preloader exe=/home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/21/2023 02:44:52.178:351) : avc: denied { execheap } for pid=30305 comm=wine-preloader scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 ---- type=PROCTITLE msg=audit(12/21/2023 10:00:40.869:469) : proctitle=/home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader /home/mikhail/.local/share/Stea type=SYSCALL msg=audit(12/21/2023 10:00:40.869:469) : arch=i386 syscall=mprotect success=yes exit=0 a0=0x7ffff000 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=0x2 items=0 ppid=51200 pid=51303 auid=mikhail uid=mikhail gid=mikhail euid=mikhail suid=mikhail fsuid=mikhail egid=mikhail sgid=mikhail fsgid=mikhail tty=(none) ses=3 comm=wine-preloader exe=/home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/21/2023 10:00:40.869:469) : avc: denied { execheap } for pid=51303 comm=wine-preloader scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 ---- type=PROCTITLE msg=audit(12/21/2023 13:02:56.019:543) : proctitle=/home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader /home/mikhail/.local/share/Stea type=SYSCALL msg=audit(12/21/2023 13:02:56.019:543) : arch=i386 syscall=mprotect success=yes exit=0 a0=0x7ffff000 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=0x2 items=0 ppid=68768 pid=68870 auid=mikhail uid=mikhail gid=mikhail euid=mikhail suid=mikhail fsuid=mikhail egid=mikhail sgid=mikhail fsgid=mikhail tty=(none) ses=3 comm=wine-preloader exe=/home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/21/2023 13:02:56.019:543) : avc: denied { execheap } for pid=68870 comm=wine-preloader scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 ---- type=PROCTITLE msg=audit(12/21/2023 18:11:50.627:709) : proctitle=/home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader /home/mikhail/.local/share/Stea type=SYSCALL msg=audit(12/21/2023 18:11:50.627:709) : arch=i386 syscall=mprotect success=yes exit=0 a0=0x7ffff000 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=0x2 items=0 ppid=103851 pid=103957 auid=mikhail uid=mikhail gid=mikhail euid=mikhail suid=mikhail fsuid=mikhail egid=mikhail sgid=mikhail fsgid=mikhail tty=(none) ses=3 comm=wine-preloader exe=/home/mikhail/.local/share/Steam/steamapps/common/Proton - Experimental/files/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/21/2023 18:11:50.627:709) : avc: denied { execheap } for pid=103957 comm=wine-preloader scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
Yeah, it's still not fixed in Rawhide and I was wrong about kernel-6.6.7-200.fc39.x86_64. It just took time to happen: ================================= SELinux impedisce a wine-preloader un accesso execheap su un processo. ⏎ ⏎ ***** Plugin allow_execheap(53.1 confidenza) suggerisce******************** Se non pensi wine-preloader dovrebbe avere bisogno di mappare la memoria heap che è sia scrivibile che eseguibile. Quindi è necessario riportare un bug. Questo è un accesso potenzialmente pericoloso. Fai contattare il proprio amministratore di sicurezza e riportare il problema. ⏎ ⏎ ***** Plugin catchall_boolean(42.6 confidenza) suggerisce****************** Se lo desidera allow selinuxuser to execheap Quindi è necessario informare SELinux abilitando il booleano 'selinuxuser_execheap' . Fai setsebool -P selinuxuser_execheap 1 ⏎ ⏎ ***** Plugin catchall(5.76 confidenza) suggerisce************************** Se ci credi wine-preloader dovrebbe essere consentito execheap accesso ai processi etichettati unconfined_t per impostazione predefinita. Quindi si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Fai consentire questo accesso per ora eseguendo: # ausearch -c 'wine-preloader' --raw | audit2allow -M my-$MODULE_NOME # semodule -X 300 -i miei-winepreloader.pp Informazioni addizionali: Contesto della sorgente unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Contesto target unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Oggetti target Sconosciuto [ process ] Sorgente wine-preloader Percorso della sorgente wine-preloader Porta <Sconosciuto> Host dave.idp.it Sorgente Pacchetti RPM Pacchetti RPM target SELinux Policy RPM selinux-policy-targeted-39.3-1.fc39.noarch Local Policy RPM selinux-policy-targeted-39.3-1.fc39.noarch Selinux abilitato True Tipo di politica targeted Modalità Enforcing Permissive Host Name dave.idp.it Piattaforma Linux dave.idp.it 6.6.7-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 21:43:37 UTC 2023 x86_64 Conteggio avvisi 1 Primo visto 2023-12-22 03:28:33 CET Ultimo visto 2023-12-22 03:28:33 CET ID locale 79e3b09b-193c-4003-b4d4-fbf103bbd94c Messaggi Raw Audit type=AVC msg=audit(1703212113.401:454): avc: denied { execheap } for pid=332198 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap
*** Bug 2255618 has been marked as a duplicate of this bug. ***
*** Bug 2256329 has been marked as a duplicate of this bug. ***
*** Bug 2257723 has been marked as a duplicate of this bug. ***
Not fixed in kernel 6.6.13, as of February 1, 2024. Linux soterius.local.iycc.net 6.6.13-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 20 18:03:28 UTC 2024 x86_64 GNU/Linux wine-9.0 (Staging) selinux-policy-targeted-39.4-1.fc39.noarch selinux-policy-39.4-1.fc39.noarch Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Target Objects Unknown [ process ] Source wine-preloader Source Path wine-preloader Port <Unknown> Host soterius.local.iycc.net Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-39.4-1.fc39.noarch Local Policy RPM selinux-policy-targeted-39.4-1.fc39.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name soterius.local.iycc.net Platform Linux soterius.local.iycc.net 6.6.13-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 20 18:03:28 UTC 2024 x86_64 Alert Count 7 First Seen 2024-02-01 12:26:33 CST Last Seen 2024-02-01 12:26:39 CST Local ID ff176081-15bc-4c22-9f6c-04ded9e5fb3d Raw Audit Messages type=AVC msg=audit(1706811999.410:400): avc: denied { execheap } for pid=14513 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap
This bug appears to have been reported against 'rawhide' during the Fedora Linux 40 development cycle. Changing version to 40.
*** Bug 2265299 has been marked as a duplicate of this bug. ***
Bug 2252391 is supposed to be fixed by kernel-6.7.3-200.fc39, but I keep getting execheap alerts with kernel-6.7.9-200.fc39. There might be something else going on.
*** Bug 2269770 has been marked as a duplicate of this bug. ***
*** Bug 2269949 has been marked as a duplicate of this bug. ***
*** Bug 2278624 has been marked as a duplicate of this bug. ***
A Valve Proton upstream issue seems to be here: https://github.com/ValveSoftware/Proton/issues/7285
*** Bug 2277614 has been marked as a duplicate of this bug. ***
*** Bug 2279615 has been marked as a duplicate of this bug. ***
(In reply to Zdenek Pytela from comment #3) > The Linux implementation of mprotect (unlike POSIX) allows changing the > access protection of memory on the heap, e. g. allocated using malloc. This > AVC denial indicates that heap memory was supposed to be made executable. > While the permission can be granted turning the selinuxuser_execheap boolean > on as suggested by setroubleshoot, it should not be done without a thorough > code review as in most cases it indicates a bug in the code. If anonymous > executable memory is needed, another method should be considered, e. g. > allocating memory using mmap. > > Please refer to the boolean description: > > # semanage boolean -l|grep execheap > selinuxuser_execheap (off , off) Allow unconfined executables > to make their heap memory executable. Doing this is a really bad idea. > Probably indicates a badly coded executable, but could indicate an attack. > This executable should be reported in bugzilla > > Switching the component to wine for further assessment. I submitted this bug to WineHQ's Bugzilla: https://bugs.winehq.org/show_bug.cgi?id=56650 The maintainer of wine says: > However, we may need to allocate memory (allocated directly from mmap and not through malloc) which is both writable and executable, because Windows programs require it. This seems to mean that both executable and writable memory is necessary for wine-preloader. Would you consider setting an exception for the wine-preloader in SELinux's rules?
It's very weird, but I've started to get this exact selinux alerts when launching any electron-based application
Since we're playing telephone... > The question is really whether this is about the libc "heap" (which is not > something that I thought the kernel had any concept of?), or if it's a blanket W^X > imposition on the whole process. If the former, that's surprising and deserves > investigation, because if I'm not mistaken we should never do that. If the latter, > it's an immediate WONTFIX. > > Finding any trace of documentation on execheap, or really SELinux in general, and > which of these two is the case, proves very difficult. https://bugs.winehq.org/show_bug.cgi?id=56650#c6 Anyone?
(In reply to Davide Repetto from comment #18) > Yeah, it's still not fixed in Rawhide and I was wrong about > kernel-6.6.7-200.fc39.x86_64. > It just took time to happen: > > ================================= > SELinux impedisce a wine-preloader un accesso execheap su un processo. > ⏎ > ⏎ > ***** Plugin allow_execheap(53.1 confidenza) suggerisce******************** > > Se non pensi wine-preloader dovrebbe avere bisogno di mappare la memoria > heap che è sia scrivibile che eseguibile. > Quindi è necessario riportare un bug. Questo è un accesso potenzialmente > pericoloso. > Fai > contattare il proprio amministratore di sicurezza e riportare il problema. > ⏎ > ⏎ > ***** Plugin catchall_boolean(42.6 confidenza) suggerisce****************** > > Se lo desidera allow selinuxuser to execheap > Quindi è necessario informare SELinux abilitando il booleano > 'selinuxuser_execheap' . > > Fai > setsebool -P selinuxuser_execheap 1 > ⏎ > ⏎ > ***** Plugin catchall(5.76 confidenza) suggerisce************************** > > Se ci credi wine-preloader dovrebbe essere consentito execheap accesso ai > processi etichettati unconfined_t per impostazione predefinita. > Quindi si dovrebbe riportare il problema come bug. > E' possibile generare un modulo di politica locale per consentire questo > accesso. > Fai > consentire questo accesso per ora eseguendo: > # ausearch -c 'wine-preloader' --raw | audit2allow -M my-$MODULE_NOME > # semodule -X 300 -i miei-winepreloader.pp > > Informazioni addizionali: > Contesto della sorgente unconfined_u:unconfined_r:unconfined_t:s0- > s0:c0.c1023 > Contesto target unconfined_u:unconfined_r:unconfined_t:s0- > s0:c0.c1023 > Oggetti target Sconosciuto [ process ] > Sorgente wine-preloader > Percorso della sorgente wine-preloader > Porta <Sconosciuto> > Host dave.idp.it > Sorgente Pacchetti RPM > Pacchetti RPM target > SELinux Policy RPM selinux-policy-targeted-39.3-1.fc39.noarch > Local Policy RPM selinux-policy-targeted-39.3-1.fc39.noarch > Selinux abilitato True > Tipo di politica targeted > Modalità Enforcing Permissive > Host Name dave.idp.it > Piattaforma Linux dave.idp.it 6.6.7-200.fc39.x86_64 #1 SMP > PREEMPT_DYNAMIC Wed Dec 13 21:43:37 UTC 2023 > x86_64 > Conteggio avvisi 1 > Primo visto 2023-12-22 03:28:33 CET > Ultimo visto 2023-12-22 03:28:33 CET > ID locale 79e3b09b-193c-4003-b4d4-fbf103bbd94c > > Messaggi Raw Audit > type=AVC msg=audit(1703212113.401:454): avc: denied { execheap } for > pid=332198 comm="wine-preloader" > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=process permissive=1 > > > Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap It's funny that this appears to be happening with wine and MOSTLY Chromium related products.. VS Code uses Chromium, VSCodium uses Chromium. Discord uses Chromium, Valve Software and Proton all use Chromiuim and Wine, well it's MS. It appears to be a common thread.... More Info defined here ---> https://discussion.fedoraproject.org/t/selinux-execheap-denials/120638/24 AND here ---> https://github.com/ValveSoftware/Proton/issues/7285
Hello all, I thought I would chime in and say I am having a similar error--not on wine--but on every electron app on my system. The AVC denial errors always refer to `execheap` denials and occur in large numbers when the program is first started, and then intermittently thereafter. Sometimes, VS Code or Vesktop will crash when it happens. Instances where I have observed the `avc: denied { execheap }` error include: - VS Code (both flatpak & rpm) - Vesktop (flatpak) - Obsidian (appimage) - Slack (flatpak) My system is: - OS: Fedora 40 (KDE Plasma) x86-64 (up-to-date) - Kernel: 6.9.6-200.fc40.x86-64 - DE: Plasma 6.1.1 Steps to reproduce in my case: 1) reboot system (it won't always happen if the application has been opened before in the same session) 2) open any affected application 3) see SELinux pop-ups on the notification tray My output from `sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today` is rather long but I will include a sample in my attachment. Cheers.
Created attachment 2038727 [details] Snippets of ausearch log, AVC denials, electron
Hello all, Similar to Duncan Maclean's comment, I too am seeing this with VSCode and some other flatpaks. Today I tried to run Mattermost (flatpak - com.mattermost.Desktop) and it crashed and also generated an AVC denial error if I run it by clicking the icon in the GNOME dash (I'm using Dask-to-Desktop extenstion.) I will attach the output from `sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today` However, if I run it via the command line it does run. Here is the output in case it is relevant: $ flatpak run com.mattermost.Desktop [2:0703/093718.759873:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory 09:37:18.888 › Logger Log level set to: info [macos-notification-state] failed to load 'notificationstate' addon Error: Module did not self-register: '/run/user/1000/app/com.mattermost.Desktop/.org.chromium.Chromium.ZQ3F7g'. at process.func [as dlopen] (node:electron/js2c/node_init:2:2214) at Module._extensions..node (node:internal/modules/cjs/loader:1343:18) at Object.func [as .node] (node:electron/js2c/node_init:2:2441) at Module.load (node:internal/modules/cjs/loader:1098:32) at Module._load (node:internal/modules/cjs/loader:945:12) at c._load (node:electron/js2c/node_init:2:13672) at Module.require (node:internal/modules/cjs/loader:1122:19) at require (node:internal/modules/helpers:130:18) at bindings (/app/main/resources/app.asar/node_modules/bindings/bindings.js:112:48) at safeLoad (/app/main/resources/app.asar/node_modules/macos-notification-state/lib/index.js:3:31) { code: 'ERR_DLOPEN_FAILED' } 09:37:18.965 › [App.Initialize] Current working directory is /home/afinkel, changing into /app/main LaunchProcess: failed to execvp: xdg-settings Gtk-Message: 09:37:18.995: Failed to load module "pk-gtk-module" Gtk-Message: 09:37:18.995: Failed to load module "pk-gtk-module" [2:0703/093719.009271:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory [2:0703/093719.009311:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory 09:37:19.012 › [App.Config] config.autostart has been configured: false 09:37:19.026 › [App.Initialize] Autoupgrade disabled: false 09:37:19.083 › [ServerDropdownView] init 09:37:19.111 › [i18nManager] Failed to set new language en-US 09:37:19.111 › [i18nManager] Failed to set new language US 09:37:19.241 › [App.Config] config.autostart has been configured: false 09:37:20.012 › [App.Config] config.autostart has been configured: false 09:37:20.717 › [WebContentsEventM...] [-------------] [TAB_MESSAGING] [renderer] Uncaught (in promise) Error: Not authorized [46:0703/093730.246641:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 1 times! [46:0703/093732.591779:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 2 times! [46:0703/093736.239884:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 3 times!
Created attachment 2038817 [details] Output from ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
System info: Fedora 40 Workstation, running GNOME Desktop $ uname -r 6.9.7-200.fc40.x86_64 OS: Fedora Linux 40 (Workstation Edition) x86_64 Host: MS-7C91 (2.0) Kernel: Linux 6.9.7-200.fc40.x86_64 Uptime: 1 hour, 10 mins Packages: 3420 (rpm), 71 (flatpak) Shell: bash 5.2.26 Display (DELL S2721DS): 2560x1440 @ 60Hz DE: GNOME 46.2 WM: Mutter (Wayland) WM Theme: Adwaita Theme: Adwaita [GTK2/3/4] Icons: Adwaita [GTK2/3/4] Font: Noto Sans (9pt) [GTK2/3/4] Cursor: Adwaita (24px) Terminal: GNOME Terminal 3.50.1 Terminal Font: Noto Sans Mono (10pt) CPU: AMD Ryzen 7 3700X (16) @ 3.60 GHz GPU: AMD Radeon RX 5500 XT @ 0.01 GHz [Discrete] Memory: 5.59 GiB / 62.71 GiB (9%) Swap: 0 B / 8.00 GiB (0%) Locale: en_US.UTF-8
@zpytela there is also a list of affected tools on ask.fedora, Signal from flathub was just added, too -> https://discussion.fedoraproject.org/t/selinux-execheap-denials/120638/35 Does it make sense to switch the component of this report to selinux-policy ? That way more people with that issue (and maybe more affected tools) are more likely to end up here rather than opening new bug reports. This ticket is still mentioned as being related to wine.
I see the wine-preloader execheap day after day. And SELinus troubleshooter always tells me: "you need to report a bug. This is a potentially dangerous access. Contact your security administrator and report this issue" Maybe Michael Cronenworth (mike) or @zpytela or any other expert can comment on what should I do while waiting for the bug fix. This time I can not decide what is the wise thing to do. Thanks for any help. Also, please let me know if you need additional info Cheers
Hello again, (In reply to david.iorlano from comment #35) > https://discussion.fedoraproject.org/t/selinux-execheap-denials/120638/24 AND > here ---> https://github.com/ValveSoftware/Proton/issues/7285 As mentioned in the linked Fedora thread, this notification is appearing across a wide range of applications. As of right now we have Wine, Proton, VS Code, Signal, Obsidian, Slack, and Discord. I am not an expert on any of these applications or on SELinux, so I don't know where the bug (or bugs) /actually/ lives. I think a generalizing the issue makes sense, though, as we're seeing it across many applications which have relatively little in common. Cheers.
(In reply to Duncan Maclean from comment #43) > Hello again, > > (In reply to david.iorlano from comment #35) > > https://discussion.fedoraproject.org/t/selinux-execheap-denials/120638/24 AND > > here ---> https://github.com/ValveSoftware/Proton/issues/7285 > > As mentioned in the linked Fedora thread, this notification is appearing > across a wide range of applications. As of right now we have Wine, Proton, > VS Code, Signal, Obsidian, Slack, and Discord. I am not an expert on any of > these applications or on SELinux, so I don't know where the bug (or bugs) > /actually/ lives. I think a generalizing the issue makes sense, though, as > we're seeing it across many applications which have relatively little in > common. Cheers. Also Chromium.
*** This bug has been marked as a duplicate of bug 2254434 ***
Cleaning my needinfos, check https://bugzilla.redhat.com/show_bug.cgi?id=2254434 for further progress.