On 08/07/2009 06:39 AM, Daniel J Walsh wrote:
> On 08/06/2009 08:03 AM, Stephen Smalley wrote:
>> On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote:
>>> Oops. Hit the wrong button by mistake, here you go. Whole stack of
>>> AVC denials.
>>>
>>> Aug 3 16:39:41 TechComm kernel: type=1400
>>> audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752
>>> comm="wine-preloader" scontext=staff_u:staff_r:
>>> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>>> tclass=memprotect
>>> Aug 3 16:39:41 TechComm kernel: type=1400
>>> audit(1249331981.357:15702): avc: denied { execmem } for pid=3752
>>> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
>>> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
>>> Aug 3 16:39:41 TechComm kernel: type=1400
>> Hmm...so there is no transition defined from the confined user domains
>> to wine_t, only from unconfined_t. That is likely intentional since
>> wine_t is unconfined under targeted policy (there is a
>> unconfined_domain_noaudit() call in wine.te).
>>
> If you build a policy with
>
> policy_module(mywine, 1.0)
> gen_require(`
> type staff_t;
> role staff_r;
> ')
>
> wine_role(staff_t, staff_r)
>
> You should be able to try out the staff_wine_t type.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Of course wine_t is an unconfined_domain if you have not removed the unoconfined module from policy.
If you do not want staff_t to be able to run unconfined domains and you have the unconfined module installed, you do not want to allow this transition.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
