Experimental now triggers SELinux alerts

[GamertechAU]

New Proton is again triggering SELinux due to wine-preloader incorrectly attempting to access execheap in ways it shouldn't when launching certain games. Rebel Galaxy (290300) is a quick and easy test case.

Affects current Bleeding-edge. Experimental/8.0-4/GE-Proton8-23 is unaffected.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think wine-preloader should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that wine-preloader should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader
# semodule -X 300 -i my-winepreloader.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        wine-preloader
Source Path                   wine-preloader
Port                          <Unknown>
Host                          radium
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-39.2-1.fc39.noarch
Local Policy RPM              selinux-policy-targeted-39.2-1.fc39.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     radium
Platform                      Linux radium 6.6.2-201.fc39.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Nov 22 21:31:42 UTC 2023
                              x86_64
Alert Count                   5
First Seen                    2023-11-25 12:32:37 AEDT
Last Seen                     2023-11-25 12:37:31 AEDT
Local ID                      4cd5fc52-48ea-4b9b-8943-44222985cdec

Raw Audit Messages
type=AVC msg=audit(1700876251.745:250): avc:  denied  { execheap } for  pid=26319 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap```

[Aftermath]

Also seeing this when trying to run Squad/Post Scriptum with Experimental Bleeding Edge (on fedora).

[Hasshu]

See also https://bugzilla.redhat.com/show_bug.cgi?id=2247299

[BillFleming]

There is an update, this was a kernel bug. There are apparently several ways to trigger it.
Here is a patch someone already cooked up:
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?h=mm-hotfixes-stable&id=d3bb89ea9c13e5a98d2b7a0ba8e50a77893132cb
Details on the bad commits and mailing list discussion link starting here:
https://bugzilla.redhat.com/show_bug.cgi?id=2252391#c16

[dreua]

I have the same selinux alert but in contradiction to OPs findings, Proton 8.0-4 is also affected

Game: The Talos Principle 2 [openbeta, no launch options]

Newer kernel and selinux policy:

SELinux Policy RPM            selinux-policy-targeted-39.3-1.fc39.noarch
Local Policy RPM              selinux-policy-targeted-39.3-1.fc39.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dave
Platform                      Linux dave 6.6.11-200.fc39.x86_64 #1 SMP

It alerts about missing directx 12 but that might be just a result of selinux blocking stuff:
DirectX 12 is not supported on your system. Try running without the -dx12 or -d3d12 command line argument.

[GamertechAU]

As above, it's a bug in the kernel itself. It's meant to have been fixed in 6.7.0, but they're taking their sweet time releasing it or backporting to 6.6.x. It may be fixed in 6.6.13, but can't confirm yet.

[dreua]

I don't think it is in 6.6.13, still getting errors and no mention of the commit you linked in the shortlog. 😢

[GamertechAU]

Yea, took a day for the errors to start popping again on 6.6.13. nvm

[sudoshindo]

As above, it's a bug in the kernel itself. It's meant to have been fixed in 6.7.0, but they're taking their sweet time releasing it

So this is why one of my games on Lutris won't work.
I swear SELinux is more annoying than helpful on a desktop system.

[GamertechAU]

So this is why one of my games on Lutris won't work.

Would have no effect on that. It's basically a cosmetic warning.

[sudoshindo]

Yes it does, the game won't launch.

[GamertechAU]

Yes it does, the game won't launch.

The game may not launch, but not because of this. You have another issue. Most scripts on Lutris are outdated.

This is just selinux complaining about a broken kernel test that doesn't like, but also doesn't interfere with WINE.

[GamertechAU]

Nvm, still not fixed in 6.7.3...

[GamertechAU]

Kernel 6.8.4 looks to have fixed it finally.

Edit: It's no longer happening with Steam/Heroic, but is with Lutris. Who knows?

[dmaeby]

It's not fixed in 6.8.4. I updated to 6.8.4 a day or two ago and today when I fired up Heroic to play Cyberpunk 2077 and got the alert from SELinux.

[GamertechAU]

Looking into it more, Proton 9.2+ doesn't trigger the alert. Wine-GE and earlier Protons do still trigger it.

So WINE or Valve must have fixed the improper behaviour that was annoying SELinux.

[solystm]

I set a device up with Fedora 39 a little while ago and it was showing this error with Proton. That got upgraded to Fedora 40 and is still doing it using Proton Experimental, kernel 6.8.7-300.fc40.x86_64. On this machine, it's the denial message just pops up at random times even when the game isn't running I hadn't seen this before so I was a little surprised, but then later I saw it on a different Fedora 40 machine. Kernel version: 6.8.8-300.fc40.x86_64, proton 8.0-5. I see the report above that Proton 9.2 fixes it so maybe that's good. I'll try with that but just as an FYI it's still happening on at least those versions.

Details from the SETroubleshoot output.

[Eschguy]

Continues to be an issue on Fedora 40 with kernel 6.8.9-300.fc40.x86_64 with the just released mesa 24.0.7-3.fc40

[scj643]

Can confirm I still get alerted on kernel 6.8.11-300.fc40 with mesa 24.0.9-1.fc40

[Francis1993Z]

I got this problem on fedora 40.
SElinux forbid wine preloader to use execheap on a process
Linux fedora 6.9.6-200.fc40.x86_64 # 1 SMP
PREEMPT_DYNAMIC Fri Jun 21 15:48:21 UTC 2024
x86_64

type=AVC msg=audit(1719776021.695:285): avc: denied { execheap } for pid=12062 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap

[Hasshu]

See also https://bugzilla.redhat.com/show_bug.cgi?id=2247299

And a related Wine bug report: https://bugs.winehq.org/show_bug.cgi?id=56650

[GamertechAU]

The original problem was fixed with Wine updates. Now it seems to be a conflict between kernel 6.9.x, SELinux and of course... Chromium...

Doesn't seem like anyone's sure on exactly where the issue(s) lies yet.

[Hasshu]

@Gamertech Wine on F40 got stuck at v9.5, so I can't comment on that.

[GamertechAU]

@Hasshu Don't need system Wine. Proton 9 has long since included the fix for the original issue.

The electron apps triggering the same SELinux error is due to the above conflict.

[Hasshu]

@Gamertech FWIW, Steam Play keeps causing sporadic SELinux alerts about wine-preloader on my machine. That's with Proton 9.0-2.

[GamertechAU]

@Hasshu Yes but not because of Wine itself, but because Steam is a budget electron web app.

For whatever reason, Chromium combined with kernel 6.9.x is attempting to write and execute to memory in the same way Wine 8 did (execheap) and SELinux is confuzzled.

[aarek-eng]

Having the same issue when trying to run ProtonMail and Signal on Fedora 40. It seems a lot of apps rely on electron wine-preloader and execheap, not just Steam.

[GamertechAU]

This is now (actually) fixed in kernel 6.10.6 in Fedora. Other distros may or may not backport the fix otherwise 6.11-rc4 will have it.

https://bodhi.fedoraproject.org/updates/FEDORA-2024-9d98836711