Bug 712187

Summary: SELinux is preventing /home/logan/.cedega/.winex_ver/winex-2010121/winex/bin/wine-preloader from 'mmap_zero' accesses on the memprotect Unknown.
Product: [Fedora] Fedora Reporter: clarkjables
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:60a6c1da34d97bd408af59fb3b86e8296a8dc8dc03b6c2bfb78f7865c875e3de
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-09 18:36:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description clarkjables 2011-06-09 18:15:12 UTC 
SELinux is preventing /home/logan/.cedega/.winex_ver/winex-2010121/winex/bin/wine-preloader from 'mmap_zero' accesses on the memprotect Unknown.

*****  Plugin mmap_zero (53.1 confidence) suggests  **************************

If you do not think /home/logan/.cedega/.winex_ver/winex-2010121/winex/bin/wine-preloader should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that wine-preloader should be allowed mmap_zero access on the Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep wine /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ memprotect ]
Source                        wine
Source Path                   /home/logan/.cedega/.winex_ver/winex-2010121/winex
                              /bin/wine-preloader
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux Logan5 2.6.38.7-30.fc15.x86_64 #1 SMP Fri
                              May 27 05:15:53 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 09 Jun 2011 12:34:03 PM CDT
Last Seen                     Thu 09 Jun 2011 12:40:49 PM CDT
Local ID                      a0289ee9-8837-4cc0-856d-6b013b80ae30

Raw Audit Messages
type=AVC msg=audit(1307641249.399:92): avc:  denied  { mmap_zero } for  pid=9983 comm="wine" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect


type=SYSCALL msg=audit(1307641249.399:92): arch=i386 syscall=chmod per=600000 success=no exit=EACCES a0=ffde0528 a1=ffde0528 a2=5a a3=0 items=0 ppid=5464 pid=9983 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=wine exe=/home/logan/.cedega/.winex_ver/winex-2010121/winex/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: wine,unconfined_t,unconfined_t,memprotect,mmap_zero

audit2allow

#============= unconfined_t ==============
#!!!! This avc is allowed in the current policy

allow unconfined_t self:memprotect mmap_zero;

audit2allow -R

#============= unconfined_t ==============
#!!!! This avc is allowed in the current policy

allow unconfined_t self:memprotect mmap_zero;
Comment 1 Daniel Walsh 2011-06-09 18:36:45 UTC 
The alert told you everything you need to know.  If you want to use wine, and SELinux is breaking the app, you need to turn the boolean on.
Comment 2 clarkjables 2011-06-10 02:34:25 UTC 
(In reply to comment #1)
> The alert told you everything you need to know.  If you want to use wine, and
> SELinux is breaking the app, you need to turn the boolean on.

I am brand new to linux man, do i enter the two lines in the terminal with the "X" command? also, what is a boolean?
Comment 3 Daniel Walsh 2011-06-10 15:22:02 UTC 
A boolean is a flag that you can set within SELinux to turn on or off policy.

If you need to run this wine app on your linux box, and it will not work properly you can get a root shell and execute 

# setsebool -P mmap_low_allowed 1

And SELinux will then allow the access.

What application do you want to run within wine?