https://bugzilla.suse.com/show_bug.cgi?id=1229844 Bug ID: 1229844 Summary: [SELinux] wine execmod AVCs (fix upstream) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: pallaswept@proton.me QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- Operating System: openSUSE Tumbleweed SELinux status, mode and policy name: Enabled, Enforcing, Targeted SELinux policy version and repository: 20240823 repo-oss The software (incl. version) that is affected by the SELinux issue and the error message: wine SELinux Audit log: An incomplete selection of example AVCs: type=AVC msg=audit(1722917439.978:211): avc: denied { execmod } for pid=34784 comm="wineboot.exe" path=2F686F6D652F70616C6C6173776570742F2E6C6F63616C2F73686172652F537465616D2F737465616D617070732F636F6D6D6F6E2F50726F746F6E202D204578706572696D656E74616C2F66696C65732F6C696236342F77696E652F7838365F36342D77696E646F77732F6E74646C6C2E646C6C dev="nvme0n1p2" ino=42647954 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=file permissive=0 type=AVC msg=audit(1724652240.789:148): avc: denied { execmod } for pid=16329 comm="rundll32.exe" path="/home/pallaswept/.local/share/lutris/runners/wine/wine-ge-8-26-x86_64/lib64/wine/x86_64-windows/msadp32.acm" dev="nvme0n1p2" ino=37843972 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:data_home_t:s0 tclass=file permissive=0 type=AVC msg=audit(1724652242.123:163): avc: denied { execmod } for pid=16331 comm="iexplore.exe" path="/home/pallaswept/.local/share/lutris/runners/wine/wine-ge-8-26-x86_64/lib64/wine/x86_64-windows/uxtheme.dll" dev="nvme0n1p2" ino=37843454 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:data_home_t:s0 tclass=file permissive=0 type=AVC msg=audit(1724652242.293:164): avc: denied { execmod } for pid=16316 comm="winedevice.exe" path="/home/pallaswept/.local/share/lutris/runners/wine/wine-ge-8-26-x86_64/lib64/wine/x86_64-windows/iphlpapi.dll" dev="nvme0n1p2" ino=37843485 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:data_home_t:s0 tclass=file permissive=0 type=AVC msg=audit(1724652243.956:166): avc: denied { execmod } for pid=16348 comm="rundll32.exe" path="/home/pallaswept/.local/share/lutris/runners/wine/wine-ge-8-26-x86_64/lib/wine/i386-windows/msacm32.dll" dev="nvme0n1p2" ino=37844986 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:data_home_t:s0 tclass=file permissive=0 type=AVC msg=audit(1724652243.956:167): avc: denied { execmod } for pid=16348 comm="rundll32.exe" path="/home/pallaswept/.local/share/lutris/runners/wine/wine-ge-8-26-x86_64/lib/wine/i386-windows/comctl32.dll" dev="nvme0n1p2" ino=37845081 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:data_home_t:s0 tclass=file permissive=0 type=AVC msg=audit(1724652243.959:168): avc: denied { execmod } for pid=16348 comm="rundll32.exe" path="/home/pallaswept/.local/share/lutris/runners/wine/wine-ge-8-26-x86_64/lib/wine/i386-windows/comctl32.dll" dev="nvme0n1p2" ino=37845081 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:data_home_t:s0 tclass=file permissive=0 Any other important details: This has been reported upstream and apparently is a kernel bug, with a patch. Proton Issue: https://github.com/ValveSoftware/Proton/issues/7285 Fedora backporting the patch for kernel 6.10.6: https://bodhi.fedoraproject.org/updates/FEDORA-2024-9d98836711 I was intending to report this later so I'm sorry my logs are a mess but when I saw that this was patched but required backporting I thought that I should mention it sooner rather than waiting, so that the kernel team have an opportunity to add this if they want to. The fix will be in 6.11 otherwise. I hope this is helpful! Cheers -- You are receiving this mail because: You are on the CC list for the bug.