Bug 870652
| Summary: | SELinux is preventing wine-preloader from 'mmap_zero' accesses on the memprotect . | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 18 | CC: | dominick.grift, dwalsh, jjardon, mgrepl, midefran, mstuff, mustafa1024m | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | i686 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:48a71271bd5f001944198d98238be427b6a19125d7646e37af49812a0c781cba | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-10-29 19:27:45 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 634277 [details]
File: type
Created attachment 634278 [details]
File: hashmarkername
If it works you can ignore it. If not you will need to turn on 'mmap_low_allowed' boolean. Why can't alter Wine for not to use low memory? You can open a bugzilla with them. What is the problem in using low memory? I think wine NEEDS low memory for some apps: http://www.winehq.org/docs/winedev-guide/x2800 Read http://eparis.livejournal.com/ You can turn on the boolean if you want to run these apps, but you will be eliminating the protection. (In reply to comment #8) > Read > > http://eparis.livejournal.com/ > > You can turn on the boolean if you want to run these apps, but you will be > eliminating the protection. Thank you, but I think there should be more obvious option, maybe ask the user if he wants to disable the protection because wine needs it disabled, I will ask wine devs for this. Regards (In reply to comment #3) > If it works you can ignore it. If not you will need to turn on > 'mmap_low_allowed' boolean. Hi Miroslav, Whats the point of having the alert if the solution is to ignore it? I mean, Id like to know if this a bug in selinux or wine, and fix it in the apropiate component Regards Well it is not always something we want to ignore. We know about wines problem with it, so it is expected. Other apps that trigger this need to be fixed. Wine should be fixed but certain ancient DOS Emultation apps need this access, or they will not run. Is there anyway to set trouble shoot to ignore for wine only? Isn't there a button in sealert browser that tells it to ignore this AVC. |
Additional info: libreport version: 2.0.17 kernel: 3.6.3-3.fc18.i686.PAE description: :SELinux is preventing wine-preloader from 'mmap_zero' accesses on the memprotect . : :***** Plugin mmap_zero (53.1 confidence) suggests ************************** : :If you do not think wine-preloader should need to mmap low memory in the kernel. :Then you may be under attack by a hacker, this is a very dangerous access. :Do :contact your security administrator and report this issue. : :***** Plugin catchall_boolean (42.6 confidence) suggests ******************* : :If you want to mmap_low_allowed :Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.You can read 'wine_selinux' man page for more details. :Do :setsebool -P mmap_low_allowed 1 : :***** Plugin catchall (5.76 confidence) suggests *************************** : :If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 :Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 :Target Objects [ memprotect ] :Source wine-preloader :Source Path wine-preloader :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM selinux-policy-3.11.1-43.fc18.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.3-3.fc18.i686.PAE #1 SMP Tue : Oct 23 15:03:41 UTC 2012 i686 i686 :Alert Count 31 :First Seen 2012-10-24 09:24:05 YEKT :Last Seen 2012-10-25 18:48:52 YEKT :Local ID 35d54838-a13e-4a30-8f38-dc4272f0797c : :Raw Audit Messages :type=AVC msg=audit(1351169332.49:360): avc: denied { mmap_zero } for pid=5068 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect : : :Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero : :audit2allow : :#============= wine_t ============== :#!!!! This avc can be allowed using the boolean 'mmap_low_allowed' : :allow wine_t self:memprotect mmap_zero; : :audit2allow -R : :#============= wine_t ============== :#!!!! This avc can be allowed using the boolean 'mmap_low_allowed' : :allow wine_t self:memprotect mmap_zero; :