Bug 665145
| Summary: | SELinux is preventing /usr/bin/wine-preloader from 'mmap_zero' accesses on the memprotect Unknown. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | johnvanrooy |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 19 | CC: | amreg.redhat, antonio.montagnani, archawka, awilliam, batskate, belegdol, bengt, bethebeast, bogatyr, brainkaraoke, bugzilla, ca42005, ccinthewoods, chris.marshall.two, cypernisse, danielallencomputers, davematel, david-musil, david.richard.jeffery, denpanagioto, denvorhu, dev, dfillion, djidanetribal62, doctore, donkishoot, drindt, dwalsh, dylantherrienhollingsworth, e.bshareh, el_gallo_azul, elliot_lam, emanmc, evfirerob, flama.es, fsantini, geminidesember, guillaume.marmin, hhlouzao, hilfans, hitech46, hx, ibm58, jamundso, jaysonsantos2003, j.daniel.davis, jimteakles, jmda91, joaoluissr, johnvanrooy, joost.ringoot, kevin, kjiec4, klaybourn, kryukov, long, luya, maithanhan, marmalodak, matthias.guentert, mgrepl, michael.finn.jorgensen, mikhail.v.gavrilov, nicolas.gif, old.uncle.z, papajohnb89, rafiii48, ramayu_sr17, redcode.sys, reis.lucia, rexlightning, rob.d.wills, robertop, rodriguez.rodriguez.manolo, rom1dep, ronzhin98, rsk02, rtmetz92, sanjay.ankur, santiagobear, santiago.lunar.m, slivkam, stedchris, stressfreechozeme, The.Almsit, tsudakazuki, veedgo, viabsb, w7eet, wiglesias, willkyc, xanexp, yehielb, yerazunis, younissf, zywiciel.o |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:48a71271bd5f001944198d98238be427b6a19125d7646e37af49812a0c781cba | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-22 21:05:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Why do you think this is a bug? Didn't the alert explain this? Why isn't it a bug ? If AVC raise a warning, that's because something is not right, that should not happen don't you think ? The SElinux policy or wine-preloader doesn't do its job well. No and AVC can also report that you do not have the system configured correctly, in this case if you are going to run wine applications that require a very dangerous access, you will need to change the SELinux configuration. Even the applications shipped with wine (notepad, winefile, ...) make AVC to complain. I did not changed the SElinux configuration. If that's because wine require dangerous access, maybe wine should be fixed ? If only it was that easy. I believe the problems are with old applications that need DOS capabilities. http://eparis.livejournal.com/ This blog discusses the problems. I have no idea what happened. I had just booted up when I received the warning. Perhaps it's because of my SE Linux configuration, as per the above. I'll have a look. Greg if you are running wine apps and you want them to run, you need to set this boolean. I saw that the boolean should be set to zero in http://eparis.livejournal.com/ but I'm afraid I can't work out how from that. Right he is saying you are taking a risk by turning the boolean on. but if you have to run windows apps on a linux box, you either turn the boolean on and use wine, or you run a virtual machine with windows. There seem to be several options in the first comment above, and I don't know enough to know which (if any of them) would be helpful. I have done the following when I first got the alert: # grep /usr/bin/wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp I'm inclined to leave it like that and wait and see if I receive any more alerts. Thanks for your input. That is fine. OK, but just a question : if I understood well, SELinux claims that Wine is poorly programmed, and your position is that it's a Wine issue. Yet as far as I know, both SELinux and Wine are standard Fedora packages (I mean, packages included in the distro - at least for FC14 -, and not "exotic" tarball packages added by the user). So one can expect that when building the distro the Fedora package maintainers have set both of them up to run on Fedora, and as SELinux is enabled and enforcing by default, such an incompatibility should have showed up long ago. As almost any application launched under Wine triggers that AVC in SELinux, does it still make sense to provide a Wine package in any Linux distro promoting SELinux (this does not seem consistent to me, sorry) ? Thanks for an explanation. It is not my job to stop the shipping of other packages. The SELinux team goal is to run the machine in a tight a security mode as possible, without making the machine unusable. wine happens to require an access that has proven to be very dangerous, so we turn the access off by default. We also confine other apps and provide booleans for users to modify their running. Still occurs every time when I start SQLyog in Wine http://www.webyog.com/en/downloads.php Mikhail if it works fine then you can add a dontaudit for the message. halp! I think your problem is here: https://bugzilla.redhat.com/show_bug.cgi?id=665145 I think your problem is here: https://bugzilla.redhat.com/show_bug.cgi?id=746171 It's not the same issue. KDevelop should NOT need mmap_zero, there is or was a kernel bug triggering it. WINE, on the other hand, IS expected to use mmap_zero, for DOS/Win16 compatibility. thanks but "grep /usr/bin/wine-preloader /var/log/audit/audit.log" gives no output Can't create a policy file with that. try instead # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Then the selinux warning does not appear, because wine has now access to the low memory. I hope this helps someone. It made me go a bit further, but like mostly, running windows applications on Linux is cumbersome, I bumped into another issue: the program needs a more recent version of internet explorer and flash... The virtual machine running windows may be an easier way. Yes wine is past its prime. VMS are the way to go. What does VMS mean? It it VMs (Virtual Machines)? I was using one for a while but got rid of it. I would prefer not to use wine either, but the need still comes up because most people use the Microsoft virus, and therefore it still has critical mass for app development. In that case you have to turn off the mmap_zero protection. I meant virtual machines. The problem with running Windows apps on a Linux OS, in this case is it forces you to turn off one of you security protections. *** Bug 1000677 has been marked as a duplicate of this bug. *** |
SELinux is preventing /usr/bin/wine-preloader from 'mmap_zero' accesses on the memprotect Unknown. ***** Plugin mmap_zero (34.9 confidence) suggests ************************** If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin wine (34.9 confidence) suggests ******************************* If you want to ignore this AVC because it is dangerous and your wine applications are working correctly. Then you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean. Do # setsebool -P wine_mmap_zero_ignore 1 ***** Plugin catchall_boolean (28.0 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (3.94 confidence) suggests *************************** If you believe that wine-preloader should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/bin/wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Objects Unknown [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Unknown> Host (removed) Source RPM Packages wine-core-1.3.9-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-18.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.9-64.fc14.i686.PAE #1 SMP Fri Dec 3 12:28:00 UTC 2010 i686 i686 Alert Count 26 First Seen Wed 22 Dec 2010 20:35:38 NZDT Last Seen Wed 22 Dec 2010 20:44:36 NZDT Local ID 4412bd3d-be20-4da4-a51a-1f4984be167d Raw Audit Messages type=AVC msg=audit(1293003876.331:48): avc: denied { mmap_zero } for pid=2965 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect wine-preloader,wine_t,wine_t,memprotect,mmap_zero type=SYSCALL msg=audit(1293003876.331:48): arch=i386 syscall=mmap success=no exit=EACCES a0=bfe8bfc0 a1=0 a2=bfe8bfc0 a3=0 items=0 ppid=2926 pid=2965 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) wine-preloader,wine_t,wine_t,memprotect,mmap_zero #============= wine_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow wine_t self:memprotect mmap_zero;