Description of problem: SELinux is preventing /opt/teamviewer8/tv_bin/wine/bin/wineserver from 'create' accesses on the sock_file socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that wineserver should be allowed create access on the socket sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wineserver /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:initrc_t:s0 Target Context system_u:object_r:initrc_tmp_t:s0 Target Objects socket [ sock_file ] Source wineserver Source Path /opt/teamviewer8/tv_bin/wine/bin/wineserver Port <Unknown> Host (removed) Source RPM Packages teamviewer-8.0.17147-1.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-98.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.9.9-201.fc18.x86_64 #1 SMP Fri Jul 5 16:42:02 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-07-11 01:24:23 PDT Last Seen 2013-07-13 08:29:57 PDT Local ID 6fbad8a4-c05f-4498-a26b-a31772bd7647 Raw Audit Messages type=AVC msg=audit(1373729397.719:376): avc: denied { create } for pid=1891 comm="wineserver" name="socket" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file type=SYSCALL msg=audit(1373729397.719:376): arch=i386 syscall=getuid success=yes exit=0 a0=2 a1=ffc0eb40 a2=f a3=1 items=0 ppid=1887 pid=1891 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm=wineserver exe=/opt/teamviewer8/tv_bin/wine/bin/wineserver subj=system_u:system_r:initrc_t:s0 key=(null) Hash: wineserver,initrc_t,initrc_tmp_t,sock_file,create audit2allow #============= initrc_t ============== allow initrc_t initrc_tmp_t:sock_file create; audit2allow -R require { type initrc_tmp_t; type initrc_t; class sock_file create; } #============= initrc_t ============== allow initrc_t initrc_tmp_t:sock_file create; Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.9-201.fc18.x86_64 type: libreport
*** Bug 984378 has been marked as a duplicate of this bug. ***
*** Bug 984380 has been marked as a duplicate of this bug. ***
*** Bug 984379 has been marked as a duplicate of this bug. ***
*** Bug 984381 has been marked as a duplicate of this bug. ***
*** Bug 984383 has been marked as a duplicate of this bug. ***
*** Bug 984384 has been marked as a duplicate of this bug. ***
*** Bug 984385 has been marked as a duplicate of this bug. ***
*** Bug 984386 has been marked as a duplicate of this bug. ***
*** Bug 984389 has been marked as a duplicate of this bug. ***
*** Bug 984387 has been marked as a duplicate of this bug. ***
*** Bug 984390 has been marked as a duplicate of this bug. ***
*** Bug 984391 has been marked as a duplicate of this bug. ***
Since we do not ship teamviewer you or someone else needs to write policy for it, or turn back on unconfined domains.
If you want to run with disabled unconfined module then I would make the local policy # cat myunconfined.te policy_module(myunconfined, 1.0) require{ type initrc_t; } unconfined_domain(initrc_t) # make -f /usr/share/selinux/devel/Makefile myunconfined.pp # semodule -i myunconfined.pp
That will not work. unconfined_domain_noaudit(initrc_t) WIll
Ah yes, meant this. # cat myunconfined.te policy_module(myunconfined, 1.0) require{ type initrc_t; } unconfined_domain_noaudit(initrc_t) # make -f /usr/share/selinux/devel/Makefile myunconfined.pp # semodule -i myunconfined.pp