1010511 – monitor-get-edid is blocked from mmap of /dev/mem

Bug 1010511 - monitor-get-edid is blocked from mmap of /dev/mem

Summary: monitor-get-edid is blocked from mmap of /dev/mem

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-21 01:22 UTC by Phil
Modified:	2013-09-23 19:39 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-23 19:39:15 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Phil 2013-09-21 01:22:56 UTC

Description of problem:
To help debug another bug I am trying to get EDID information.  I yum installed monitor-edid and its dependancy then ran:

[root@x64 ~]# monitor-get-edid
mmap /dev/mem: Permission denied

setenforce 0 allowed this to work.

Version-Release number of selected component (if applicable):
F20

How reproducible:
Every time

Steps to Reproduce:
1. yum -y install monitor-edid
2. monitor-get-edid


Actual results:
There is an AVC denial

Expected results:
The program get EDID information.

Comment 1 Phil 2013-09-21 01:24:42 UTC

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                 [ memprotect ]
Source                        monitor-get-edi
Source Path                   /usr/sbin/monitor-get-edid-using-vbe
Port                          <Unknown>
Host                          **redacted**
Source RPM Packages           monitor-edid-3.0-8.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-75.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     **redacted**
Platform                      Linux **redacted** 3.11.1-300.fc20.x86_64 #1 SMP
                              Sat Sep 14 15:01:23 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-09-21 10:47:40 CST
Last Seen                     2013-09-21 10:47:40 CST
Local ID                      844b933e-d1f6-4a13-a760-441e7438824f

Raw Audit Messages
type=AVC msg=audit(1379726260.415:88): avc:  denied  { mmap_zero } for  pid=2214 comm="monitor-get-edi" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect


type=SYSCALL msg=audit(1379726260.415:88): arch=x86_64 syscall=mmap success=no exit=EACCES a0=f000 a1=502 a2=7 a3=11 items=0 ppid=2213 pid=2214 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts0 comm=monitor-get-edi exe=/usr/sbin/monitor-get-edid-using-vbe subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: monitor-get-edi,unconfined_t,unconfined_t,memprotect,mmap_zero

Comment 2 Daniel Walsh 2013-09-23 19:39:15 UTC

mmap_zero is a dangerous access. I would guess that monitor-get-edid-using-vbe is badly written.  If you trust it turn on the boolean mmap_low_allowed


setsebool mmap_low_allowed 1

When you are done testing turn it off again for better security.

setsebool mmap_low_allowed 0

Note You need to log in before you can comment on or make changes to this bug.