Bug 543419
| Summary: | SELinux is preventing acroread (unconfined_execmem_t) "mmap_zero" to <Unknown> (unconfined_execmem_t). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Iftikhar <rana.iftikhar.ahmad> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | dwalsh, mgrepl, rana.iftikhar.ahmad |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:9454194257c71b5e4a798b7ee6fafa137b44be76070925dbcab4c4b0ab757c86 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-12-02 11:14:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 538428 *** |
Summary: SELinux is preventing acroread (unconfined_execmem_t) "mmap_zero" to <Unknown> (unconfined_execmem_t). Detailed Description: SELinux denied access requested by acroread. The current boolean settings do not allow this access. If you have not setup acroread to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: Confined processes can be configured to to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_unconfined_mmap_low is set incorrectly. Boolean Description: Allow unconfined domain to map low memory in the kernel Fix Command: # setsebool -P allow_unconfined_mmap_low 1 Additional Information: Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0 Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0 Target Objects None [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Unknown> Host (removed) Source RPM Packages AdobeReader_enu-8.1.3-1 Target RPM Packages Policy RPM selinux-policy-3.5.13-55.fc10 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall_boolean Host Name (removed) Platform Linux (removed) 2.6.27.21-170.2.56.fc10.i686 #1 SMP Mon Mar 23 23:37:54 EDT 2009 i686 i686 Alert Count 578 First Seen Tue 13 Jan 2009 11:46:48 AM GMT Last Seen Wed 15 Apr 2009 12:39:08 PM BST Local ID 5eada6ed-5db1-40ef-8e58-03ece871b771 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1239795548.221:7381): avc: denied { mmap_zero } for pid=3878 comm="acroread" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tclass=memprotect node=(removed) type=SYSCALL msg=audit(1239795548.221:7381): arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=100000 a2=0 a3=4022 items=0 ppid=1 pid=3878 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="acroread" exe="/opt/Adobe/Reader8/Reader/intellinux/bin/acroread" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0 key=(null) Hash String generated from selinux-policy-3.5.13-55.fc10,catchall_boolean,wine-preloader,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero audit2allow suggests: #============= unconfined_execmem_t ============== allow unconfined_execmem_t self:memprotect mmap_zero;