Bug 522380
Summary: | setroubleshoot: SELinux is preventing vbetool "mmap_zero" access on <Unknown>. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rodd Clarkson <rodd> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | ajax, atodorov, dwalsh, eparis, mgrepl |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:2eaa3b6c17b0dec9dbea7a4862b004af2b34ba9fd312c1bea983aaac007b28b5 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-10-20 21:34:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rodd Clarkson
2009-09-10 09:08:32 UTC
Did you turn on the boolean? This is a configuration issue, turn the boolean on and vbetool will work for you. I see similar issue with default rawhide install: type=1400 audit(1253010534.078:7): avc: denied { mmap_zero } for pid=434 comm="vbetool" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=memprotect Shoudn't vbetool turn this boolean on by default ? Did you see any problem from not having the boolean turned on? Does your machine successfully Suspend/Resume? This was from automated test run. I have only shell access to this machine and I'm not sure if I can test suspend/resume via serial console. The problem here is the boolean is all on or all off. With the boolean turned off, we can prevent unconfined users/admin from accidentally executing mmap_zero applications, allowing them to take over the machine. I guess since the standard is now to require root access, I can turn the boolean on by default. The only other app besides vbetool that needs this access is wine. *** This bug has been marked as a duplicate of bug 528022 *** |