Description of problem: The binaries from the game 'pingus' have the context 'ping_exec_t' instead of 'bin_t' (I presume). This is because the filecontext of 'ping' is defined with a wildcard: /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/ping.* -- system_u:object_r:ping_exec_t:s0 The game is then unable to run for confined users. A workaround is: chcon -t bin_t /usr/bin/pingus If I define a context for /usr/bin/pingus, which one has priority: the wildcard rule or the specific one? I did not found an answer yet.
What AVC msgs are you getting?
Here the AVC: type=AVC msg=audit(1341913280.881:1492): avc: denied { read } for pid=28320 comm="pingus" path="/usr/bin/bash" dev="sda5" ino=550819 scontext=staff_u:staff_r:ping_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=SYSCALL msg=audit(1341913280.881:1492): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=7fffa909c0d0 items=0 ppid=28304 pid=28320 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=pts4 ses=2 comm="pingus" exe="/usr/bin/bash" subj=staff_u:staff_r:ping_t:s0-s0:c0.c1023 key=(null) The user is confined as 'staff_u'. You can see that pingus is running in context 'ping_t', which is the problem.
I agree we should label this as bin_t. Fixed in Rawhide.
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Package selinux-policy-3.10.0-142.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17 then log in and leave karma (feedback).
Only half-fixed. # ll -Z /usr/bin/ping* -rwxr-xr-x. root root system_u:object_r:ping_exec_t:s0 /usr/bin/ping -rwxr-xr-x. root root system_u:object_r:ping_exec_t:s0 /usr/bin/ping6 -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/pingus -rwxr-xr-x. root root system_u:object_r:ping_exec_t:s0 /usr/bin/pingus.bin So, pingus has the good context, but not pingus.bin (pingus is a shell script that launch pingus.bin). Here the new AVC: type=AVC msg=audit(1343461181.891:2049): avc: denied { execmem } for pid=18213 comm="pingus.bin" scontext=staff_u:staff_r:ping_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:ping_t:s0-s0:c0.c1023 tclass=process
I amf fixing it. # chcon -t bin_t /usr/bin/pingus.bin selinux-policy-3.10.0-143.fc17
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.