SELinux is preventing wine-preloader from using execheap access in a process.

[heit0r]

Hello, I'm using Fedora Linux and I'm receiving these messages all the time about SELinux preventing things to happen. There's some commands to allow wine and/or plugins to do stuff I do not really trust. Just reporting. If it's not a bug i'd like to know. If it is, i'd like to know how to proceed or if it's safe to execute the commands below. Is there a way to not receive these messages?

uname -a Linux fedora 6.6.8-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 21 04:01:49 UTC 2023 x86_64 GNU/Linux

wine --version wine-9.0rc3.r0.g75f626ec ( TkG Staging Esync Fsync )

yabridgectl --version yabridgectl 5.1.0

Thank you. Here's the full translated text back to english by gpt:

SELinux is preventing wine-preloader from using execheap access in a process.

* Plugin allow_execheap (trust 53.1) suggests ****

If you don't think $SOURCEO_PATH should map the writable and executable heap memory, you need to report a bug. This is a very dangerous access. Please contact your security administrator and report this problem.

* Plugin catchall_boolean (trust 42.6) suggests **

If you want to allow selinuxuser to execheap, you should inform SELinux about it by enabling the boolean 'selinuxuser_execheap'.

Run the following command: setsebool -P selinuxuser_execheap 1

* Plugin catchall (trust 5.76) suggests **

If you believe wine-preloader should be allowed execheap access in processes labeled unconfined_t by default, you should inform that this is a bug. You can generate a local policy module to allow this access.

Run the following commands:

ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader

semodule -X 300 -i my-winepreloader.pp

Additional information: Source context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target objects Unknown [ process ] Source wine-preloader Source path wine-preloader Port Machine fedora Source RPM packages Target RPM packages SELinux Policy RPM selinux-policy-targeted-39.3-1.fc39.noarch Local Policy RPM selinux-policy-targeted-39.3-1.fc39.noarch SELinux enabled True Policy type targeted Enforcing mode Enforcing Machine name fedora Platform Linux fedora 6.6.8-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 21 04:01:49 UTC 2023 x86_64 Alert count 2 First seen 2024-01-03 12:32:47 -03 Last seen 2024-01-03 13:16:43 -03 Local ID c64b7d5e-7eb8-49f6-a6db-4075708a0a51

Unprocessed audit messages type=AVC msg=audit(1704298603.124:206): avc: denied { execheap } for pid=8463 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap

[janmechtel]

I found a couple of threads that seem related:

• https://discussion.fedoraproject.org/t/selinux-execheap-denials/120638/19
• https://bugzilla.redhat.com/show_bug.cgi?id=2247299
• https://www.reddit.com/r/Fedora/comments/1ac5ibg/selinux_is_preventing_code_from_using_the/

[dsbrown]

I am having the same problem when trying to launch bitwarden on the Fedora desktop under Plasma 6.1 Operating System: Fedora Linux 40 KDE Plasma Version: 6.1.1 KDE Frameworks Version: 6.3.0 Qt Version: 6.7.1 Kernel Version: 6.9.6-200.fc40.x86_64 (64-bit) Graphics Platform: Wayland Processors: 16 × AMD Ryzen 7 5700X3D 8-Core Processor Memory: 31.2 GiB of RAM Graphics Processor: AMD Radeon RX 6750 XT Manufacturer: ASUS

[aarek-eng]

Having the same problem trying to run ProtonMail and Signal Desktop on Fedora 40. It seems a lot of apps rely on electron, wine-preloader and execheap.

[pallaswept]

Found this issue when I had the same. You may find this interesting: https://github.com/ValveSoftware/Proton/issues/7285

TL;DR Fixed in kernel 6.11 (possibly backported to 6.10.6)