Bug 615698

Summary:	SELinux helper fails to turn off memory protection for wine-preloader
Product:	[Fedora] Fedora	Reporter:	Richard Shaw <hobbes1069>
Component:	setroubleshoot	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	13	CC:	dwalsh, mgrepl
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	setroubleshoot-3.0.24-1.fc13	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-02-02 19:33:14 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Richard Shaw 2010-07-18 03:57:15 UTC

Description of problem:
Attempting to run google picasa generates an selinux alert.

Version-Release number of selected component (if applicable):


How reproducible:
Every time

Steps to Reproduce:
1. Install google picasa from google repo
2. Attempt to run picasa
3.
  
Actual results:
Selinux alert generated, can not turn off memory protection to allow it to run.

Expected results:
Memory protection is turned off as requested.

Additional info:

The "Fix command" appears to work from a root console but it does not work from the selinux security helper. This has happened on two separate F13 x86_64 installs.

Selinux alert info:

Summary:

SELinux has prevented wine from performing an unsafe memory operation.

Detailed Description:

SELinux denied an operation requested by wine-preloader, a program used to run
Windows applications under Linux. This program is known to use an unsafe
operation on system memory but so are a number of malware/exploit programs which
masquerade as wine. If you were attempting to run a Windows program your only
choices are to allow this operation and reduce your system security against such
malware or to refrain from running Windows applications under Linux. If you were
not attempting to run a Windows application this indicates you are likely being
attacked by some for of malware or program trying to exploit your system for
nefarious purposes. Please refer to
http://wiki.winehq.org/PreloaderPageZeroProblem Which outlines the other
problems wine encounters due to its unsafe use of memory and solutions to those
problems.

Allowing Access:

If you decide to continue to run the program in question you will need to allow
this operation. This can be done on the command line by executing: # setsebool
-P mmap_low_allowed 1

Fix Command:

/usr/sbin/setsebool -P mmap_low_allowed 1

Additional Information:

Source Context                unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Objects                None [ memprotect ]
Source                        wine-preloader
Source Path                   /opt/picasa/wine/bin/wine-preloader
Port                          <Unknown>
Host                          hobbes.localdomain
Source RPM Packages           picasa-2.7.3736-15
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   wine
Host Name                     hobbes.localdomain
Platform                      Linux hobbes.localdomain 2.6.33.5-124.fc13.x86_64
                              #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   9
First Seen                    Sat 17 Jul 2010 10:44:59 PM CDT
Last Seen                     Sat 17 Jul 2010 10:45:40 PM CDT
Local ID                      4651da9a-ee54-4672-bff3-26d875cf0736
Line Numbers                  

Raw Audit Messages            

node=hobbes.localdomain type=AVC msg=audit(1279424740.659:46692): avc:  denied  { mmap_zero } for  pid=14361 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect

node=hobbes.localdomain type=SYSCALL msg=audit(1279424740.659:46692): arch=40000003 syscall=90 success=no exit=-13 a0=ffbd38e0 a1=ffbd38e0 a2=5a a3=7c002780 items=0 ppid=14132 pid=14361 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/opt/picasa/wine/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2010-07-19 15:13:31 UTC

The alert tells you what to do.

/usr/sbin/setsebool -P mmap_low_allowed 1

Comment 2 Richard Shaw 2010-07-19 15:59:38 UTC

Yes, I know, I mentioned it worked in my bug report, but shouldn't the button still work? Is it not a bug that it provides a method to do that graphically but fails to work and gives an error message? Something to the effect of, "Unable to complete.", or something like that.

Comment 3 Daniel Walsh 2010-07-19 16:11:51 UTC

Ok I missed that line.

Comment 4 Daniel Walsh 2011-01-25 14:55:51 UTC

Upgrading to the F14/F15 version of setroubleshoot.

Fixed in setroubleshoot-3.0.24-1.fc13

Comment 5 Fedora Update System 2011-01-25 15:25:46 UTC

setroubleshoot-3.0.24-1.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/setroubleshoot-3.0.24-1.fc13

Comment 6 Fedora Update System 2011-01-25 20:59:06 UTC

setroubleshoot-3.0.24-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update setroubleshoot'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/setroubleshoot-3.0.24-1.fc13

Comment 7 Fedora Update System 2011-02-02 19:31:46 UTC

setroubleshoot-3.0.24-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.