Bug 665665
| Summary: | SELinux is preventing /opt/teamviewer/teamviewer/6/wine/bin/wine-preloader from 'mmap_zero' accesses on the memprotect Unknown. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Heiko Adams <bugzilla> |
| Component: | wine | Assignee: | Andreas Bierfert <andreas.bierfert> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 19 | CC: | andreas.bierfert, chris.partezana, david-musil, dfmonaco, dwalsh, emanmc, eparis, gerfert, gregorymorelo, hilfans, i, kvolny, mgrepl, mike, ramayu_sr17, r.warren.06, sean, sricinu, ssiimmeeoonn, stefan, taslack, zozo_sarv2000 |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:7774f653e3da691a306c93c01e63776e9f463da61237237ad84821ef7dd40db8 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-06-07 15:09:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
If you want to run wine apps that need mmap_zero, you need to turn on the boolean As described in the alert. #setsebool -P mmap_low_allowed 1 *** Bug 878709 has been marked as a duplicate of this bug. *** *** Bug 952211 has been marked as a duplicate of this bug. *** (In reply to Daniel Walsh from comment #1) > If you want to run wine apps that need mmap_zero, you need to turn on the > boolean > As described in the alert. > > #setsebool -P mmap_low_allowed 1 sorry to bother your circles but I don't agree that apps in their default configuration can throw errors on users and you blame users for those errors if you believe wine should not be allowed to do this and refuse to change the default policy then wine has to be fixed not to try something nasty - probably it doesn't need it 'cause the application I've used (Finale Notepad) runs fine despite the denial but if you want to "increase" security by learning people to disable selinux altogether not to be bothered by bugs the devels refuse to deal with, you're on the best path to it ... SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect .
***** Plugin mmap_zero (53.1 confidence) suggests **************************
If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests *******************
If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
You can read 'unconfined_selinux' man page for more details.
Do
setsebool -P mmap_low_allowed 1
***** Plugin catchall (5.76 confidence) suggests ***************************
If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects [ memprotect ]
Source wine-preloader
Source Path /usr/bin/wine-preloader
Port <Neznámé>
Host (removed)
Source RPM Packages wine-core-1.5.29-1.fc19.i686
Target RPM Packages
Policy RPM selinux-policy-3.12.1-47.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux kvolny.usersys.redhat.com
3.9.4-300.fc19.x86_64 #1 SMP Fri May 24 22:17:06
UTC 2013 x86_64 x86_64
Alert Count 4
First Seen 2013-06-05 14:10:46 CEST
Last Seen 2013-06-05 14:11:26 CEST
Local ID 188ae4c0-2a30-4c5e-8637-4a1fff3cc419
Raw Audit Messages
type=AVC msg=audit(1370434286.178:233): avc: denied { mmap_zero } for pid=4522 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect
type=SYSCALL msg=audit(1370434286.178:233): arch=i386 syscall=chmod success=no exit=EACCES a0=ffc8f350 a1=ffc8f350 a2=0 a3=ffc8f540 items=0 ppid=1 pid=4522 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Hash: wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero
application is the wine preloader *** This bug has been marked as a duplicate of bug 882623 *** *** Bug 1027510 has been marked as a duplicate of this bug. *** |
SELinux is preventing /opt/teamviewer/teamviewer/6/wine/bin/wine-preloader from 'mmap_zero' accesses on the memprotect Unknown. ***** Plugin mmap_zero (53.1 confidence) suggests ************************** If you do not think /opt/teamviewer/teamviewer/6/wine/bin/wine-preloader should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that wine-preloader should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /opt/teamviewer/teamviewer/6/wine/bin/wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects Unknown [ memprotect ] Source wine-preloader Source Path /opt/teamviewer/teamviewer/6/wine/bin/wine- preloader Port <Unbekannt> Host (removed) Source RPM Packages teamviewer6-6.0.9224-1 Target RPM Packages Policy RPM selinux-policy-3.9.7-18.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-72.fc14.i686 #1 SMP Mon Dec 20 22:05:49 UTC 2010 i686 i686 Alert Count 5 First Seen Sa 25 Dez 2010 20:39:15 CET Last Seen Sa 25 Dez 2010 20:39:15 CET Local ID c299c792-a72a-4b0b-9ef0-b76376ac2d42 Raw Audit Messages type=AVC msg=audit(1293305955.694:465): avc: denied { mmap_zero } for pid=11658 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=memprotect wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero type=SYSCALL msg=audit(1293305955.694:465): arch=i386 syscall=mmap success=no exit=EACCES a0=bf862b80 a1=0 a2=bf862b80 a3=fffff000 items=0 ppid=11656 pid=11658 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=wine-preloader exe=/opt/teamviewer/teamviewer/6/wine/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_t self:memprotect mmap_zero;