I've created a custom SELinux policy that allows a special dosbox_exec_t context with execheap permission to allow the dynamic cpu core to run without having to enter permissive mode or allow heap execution across all processes.

This has stopped the crashing I've been experiencing, as well as reports to the audit log.

It should "just work" by installing the RPM. It's built for Fedora 30 but is noarch and is a basic SELinux policy so it will probably work on others.

There are some included scripts build_rpm, add_policy, and remove_policy. You don't have to run these unless you want to experiment with the policy. Simply install the RPM with your package manager as described below.

This will allow you to install the policy through the package manager (recommended):

1# dnf install dosbox_selinux*noarch.rpm

Alternatively, you can add the policy manually:

1# semodule -i dosbox.pp
2# restorecon -F -R -v /usr/bin/dosbox

This RPM has been build for Fedora. Your mileage may vary depending on your distribution. If you want to try it elsewhere then use the provided add_policy script instead.

If you experience any problems then you can remove the package with:

1# dnf remove dosbox_selinux

Disable the module:

1# semodule -d dosbox
2# restorecon /usr/bin/dosbox

Or remove the policy explicitly:

1# semodule -X 400 -r dosbox
2# restorecon /usr/bin/dosbox