Bug 1010511

Summary: monitor-get-edid is blocked from mmap of /dev/mem
Product: [Fedora] Fedora Reporter: Phil <phil.ingram>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-23 19:39:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Phil 2013-09-21 01:22:56 UTC 
Description of problem:
To help debug another bug I am trying to get EDID information.  I yum installed monitor-edid and its dependancy then ran:

[root@x64 ~]# monitor-get-edid
mmap /dev/mem: Permission denied

setenforce 0 allowed this to work.

Version-Release number of selected component (if applicable):
F20

How reproducible:
Every time

Steps to Reproduce:
1. yum -y install monitor-edid
2. monitor-get-edid


Actual results:
There is an AVC denial

Expected results:
The program get EDID information.
Comment 1 Phil 2013-09-21 01:24:42 UTC 
Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                 [ memprotect ]
Source                        monitor-get-edi
Source Path                   /usr/sbin/monitor-get-edid-using-vbe
Port                          <Unknown>
Host                          **redacted**
Source RPM Packages           monitor-edid-3.0-8.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-75.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     **redacted**
Platform                      Linux **redacted** 3.11.1-300.fc20.x86_64 #1 SMP
                              Sat Sep 14 15:01:23 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-09-21 10:47:40 CST
Last Seen                     2013-09-21 10:47:40 CST
Local ID                      844b933e-d1f6-4a13-a760-441e7438824f

Raw Audit Messages
type=AVC msg=audit(1379726260.415:88): avc:  denied  { mmap_zero } for  pid=2214 comm="monitor-get-edi" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect


type=SYSCALL msg=audit(1379726260.415:88): arch=x86_64 syscall=mmap success=no exit=EACCES a0=f000 a1=502 a2=7 a3=11 items=0 ppid=2213 pid=2214 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts0 comm=monitor-get-edi exe=/usr/sbin/monitor-get-edid-using-vbe subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: monitor-get-edi,unconfined_t,unconfined_t,memprotect,mmap_zero
Comment 2 Daniel Walsh 2013-09-23 19:39:15 UTC 
mmap_zero is a dangerous access. I would guess that monitor-get-edid-using-vbe is badly written.  If you trust it turn on the boolean mmap_low_allowed


setsebool mmap_low_allowed 1

When you are done testing turn it off again for better security.

setsebool mmap_low_allowed 0