Hide Forgot
Description of problem: starting Mikrotik winebox.exe SELinux is preventing /usr/bin/wine-preloader from 'mmap_zero' accesses on the memprotect . ***** Plugin mmap_zero (53.1 confidence) suggests ************************* If вы считаете, что /usr/bin/wine-preloader не должен выполнять mmap при недостатке памяти в ядре. Then возможно, вы подверглись хакерской атаке. Это обращение представляет риск безопасности. Do о проблеме сообщите администратору. ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If вы хотите выполнить следующее: allow mmap to low allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Дополнительная документация на 'None' ман странице. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If вы считаете, что wine-preloader следует разрешить доступ mmap_zero к memprotect по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do чтобы разрешить доступ, выполните: # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Неизвестно> Host (removed) Source RPM Packages wine-core-1.7.2-1.fc20.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-83.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.11.1-300.fc20.x86_64 #1 SMP Sat Sep 14 15:01:23 UTC 2013 x86_64 x86_64 Alert Count 4 First Seen 2013-09-30 11:09:58 MSK Last Seen 2013-09-30 11:10:12 MSK Local ID 9f7fab06-d4d9-4eeb-8961-e1eeb8b2b5d7 Raw Audit Messages type=AVC msg=audit(1380525012.640:637): avc: denied { mmap_zero } for pid=2647 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1380525012.640:637): arch=i386 syscall=chmod success=no exit=EACCES a0=ffeee78c a1=10000 a2=ffeee78c a3=5a items=0 ppid=1 pid=2647 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero Additional info: reporter: libreport-2.1.7 hashmarkername: setroubleshoot kernel: 3.11.1-300.fc20.x86_64 type: libreport Potential duplicate: bug 665665
Did you read the alert? ***** Plugin mmap_zero (53.1 confidence) suggests ************************* If вы считаете, что /usr/bin/wine-preloader не должен выполнять mmap при недостатке памяти в ядре. Then возможно, вы подверглись хакерской атаке. Это обращение представляет риск безопасности. Do о проблеме сообщите администратору. ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If вы хотите выполнить следующее: allow mmap to low allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Дополнительная документация на 'None' ман странице. Do setsebool -P mmap_low_allowed 1 http://danwalsh.livejournal.com/66379.html
re-opening in accordance with the SELinux Alert Browser, wherein it states: If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default. You should report this as a bug. I have generated the local policy module for this error on every system I maintain, but it remains that it needs to be generated for anyone running wine-preloader. Bug is present in selinux-policy-3.12.1-106.fc20 and selinux-policy-3.13.1-10.fc21
BTW Did the application work properly even with this avc?
I forgot to note that part. As far as I can determine, the application does work properly even with the AVC denial. I see no other issues with the app after it is started and running, other than glitches that may just be bad code on the application's part - but nothing blocking basic usability.
Description of problem: nrg2iso free ware running on wine Additional info: reporter: libreport-2.1.10 hashmarkername: setroubleshoot kernel: 3.12.5-302.fc20.x86_64 type: libreport
Description of problem: Try to exec some autorun applications on wine. In this case, Dungeon Keeper 2 Additional info: reporter: libreport-2.1.10 hashmarkername: setroubleshoot kernel: 3.12.6-300.fc20.x86_64 type: libreport
Description of problem: on opening wine installer - message was generated Additional info: reporter: libreport-2.1.11 hashmarkername: setroubleshoot kernel: 3.12.6-300.fc20.x86_64 type: libreport
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Problem persists in selinux-policy-3.12.1-119.fc20 on fedora x86_64 It happens whenever I try to launch a Windows app, no matter what app it is. I would gladly upload any info required.
The same problem on my system with selinux-policy-3.12.1-119.fc20.noarch. Any app I try to run through the wine lead to the alert "SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect" Actually apps work fine after and alert is an annoying warning.
This bug does NOT appear to be fixed and should be reopened. Using selinux-policy-3.12.1-122.fc20.
Also note that there is an SELinux boolean, wine_mmap_zero_ignore, that is supposed to shut up these warnings, but it does not appear to work in current versions.
Could you attach the current AVC you are seeing?
This is the complete alert + suggestion (selinux-policy-3.12.1-122.fc20): SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect . ***** Plugin mmap_zero (53.1 confidence) suggests ************************* If no cree que /usr/bin/wine-preloader debería necesitar realizar un mmap sobre la baja memoria en el kernel. Then podría estar siendo víctima de un ataque, este es un acceso muy peligroso. Do póngase en contacto con su administrador de seguridad y reporte este problema. ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If desea allow mmap to low allowed Then usted debe decir a SELinux sobre esto habilitando el booleano 'mmap_low_allowed'. Puede leer la página man de 'None' para más detalles. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If cree que de manera predeterminada, wine-preloader debería permitir acceso mmap_zero sobre memprotect. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso momentáneamente executando: # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Unknown> Host c700.personal Source RPM Packages wine-core-1.7.8-1.fc20.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name c700.personal Platform Linux c700.personal 3.12.10-300.fc20.x86_64 #1 SMP Thu Feb 6 22:11:48 UTC 2014 x86_64 x86_64 Alert Count 108 First Seen 2014-01-30 19:27:26 CST Last Seen 2014-02-14 13:46:41 CST Local ID 36ac8fa3-611c-4711-a112-3fb3dd0dc5cd Raw Audit Messages type=AVC msg=audit(1392407201.455:438): avc: denied { mmap_zero } for pid=16331 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1392407201.455:438): arch=i386 syscall=chmod success=no exit=EPERM a0=ffa5338c a1=10000 a2=ffa5338c a3=5a items=0 ppid=16311 pid=16331 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=pts0 comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero
Well this is actually a kernel issue. The kernel should not be checking the mmap_zero check for SELinux at all, since it would be blocked by a DAC Check. Paul do you know the bugzilla for this?
(In reply to Daniel Walsh from comment #17) > Well this is actually a kernel issue. The kernel should not be checking the > mmap_zero check for SELinux at all, since it would be blocked by a DAC Check. > > Paul do you know the bugzilla for this? BZ #1047417 I haven't had the chance to fix it yet, but it is on my todo list.
Why is this bug closed, shouldn't it be open? I got the problem today....
*** Bug 1047417 has been marked as a duplicate of this bug. ***
A bit of a recap from BZ #1047417 ... the suspected cause is that the SELinux/MAC check is happening before the normal DAC check, causing an unnecessary AVC denial. Dan and Eric believe the correct solution is to move the LSM hook below the DAC check, which is what I'm looking into now.
Patch posted upstream: * http://marc.info/?l=selinux&m=139351174702148&w=2
Got it today: "SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect . ***** Plugin mmap_zero (53.1 confidence) suggests ************************* If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow mmap to low allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. You can read 'None' man page for more details. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Unknown> Host localhost.localdomain Source RPM Packages wine-core-1.7.13-1.fc20.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.13.5-200.fc20.x86_64 #1 SMP Mon Feb 24 16:51:35 UTC 2014 x86_64 x86_64 Alert Count 9 First Seen 2014-02-25 09:39:31 EST Last Seen 2014-03-01 18:29:01 EST Local ID ae92c41c-4f55-42b3-b6eb-a3e2ba5c052f Raw Audit Messages type=AVC msg=audit(1393716541.378:400): avc: denied { mmap_zero } for pid=1891 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1393716541.378:400): arch=i386 syscall=chmod success=no exit=EACCES a0=fff287dc a1=10000 a2=fff287dc a3=5a items=0 ppid=1 pid=1891 auid=3000 uid=3000 gid=3000 euid=3000 suid=3000 fsuid=3000 egid=3000 sgid=3000 fsgid=3000 ses=1 tty=(none) comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero "
I didn't do anything with wine today.
Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.13.4-200.fc20.i686 type: libreport
(In reply to Paul Moore from comment #22) > Patch posted upstream: > > * http://marc.info/?l=selinux&m=139351174702148&w=2 Seems as if the patch went over well. I'll grab it for Fedora shortly.
Fixed in git.
(In reply to Josh Boyer from comment #27) > Fixed in git. Thanks.
Got it today trying to open http://kojipkgs.fedoraproject.org//work/tasks/2932/6602932/livecd.log in a new tab in midori-0.5.7 under kernel-3.13.5-202.fc20.x86_64 and libreport-2.1.12-3.fc20.x86_64. I'll be watching for a selinux update. The details from AVC are: "SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect . ***** Plugin mmap_zero (53.1 confidence) suggests ************************* If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow mmap to low allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. You can read 'None' man page for more details. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Unknown> Host localhost.localdomain Source RPM Packages wine-core-1.7.13-1.fc20.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.13.5-202.fc20.x86_64 #1 SMP Mon Mar 3 19:08:00 UTC 2014 x86_64 x86_64 Alert Count 3 First Seen 2014-03-06 11:43:38 EST Last Seen 2014-03-06 17:40:42 EST Local ID 1459a3ac-766f-4f4e-a301-f26aedc8b36a Raw Audit Messages type=AVC msg=audit(1394145642.984:393): avc: denied { mmap_zero } for pid=1661 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1394145642.984:393): arch=i386 syscall=chmod success=no exit=EACCES a0=ffafb66c a1=10000 a2=ffafb66c a3=5a items=0 ppid=1 pid=1661 auid=3000 uid=3000 gid=3000 euid=3000 suid=3000 fsuid=3000 egid=3000 sgid=3000 fsgid=3000 ses=1 tty=(none) comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero"
The tab I had tried to open was empty and would not refresh. I was able to go back to the http://koji.fedoraproject.org/koji/taskinfo?taskID=6602932 and open livec.log as a new tab without incident.
When I checked the Help/About menu item in the log window that had opened in comment 30, I was surprised to find that the application that midori had opened was in fact Notepad under wine! That explains the references to wine in the details messages. I suppose it would be better if midori were to use a linux binary display program to open .log (and presumably files with extensions unknown to midori). I'ld like to nominate "vi -r" for that.
You should probably file a bug against midori if it's doing that. This bug is fixing the kernel issue.
kernel-3.13.6-100.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/kernel-3.13.6-100.fc19
kernel-3.13.6-200.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/kernel-3.13.6-200.fc20
Package kernel-3.13.6-100.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing kernel-3.13.6-100.fc19' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3651/kernel-3.13.6-100.fc19 then log in and leave karma (feedback).
kernel-3.13.6-200.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.13.6-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This bug returned again with 3.14.1-200 kernel
Thanks. Inadvertently dropped the patch that fixed it with the 3.14 rebase. Paul, this might be worth sending for 3.14.y stable.
(In reply to Josh Boyer from comment #39) > Thanks. Inadvertently dropped the patch that fixed it with the 3.14 rebase. > > Paul, this might be worth sending for 3.14.y stable. Since this is more of an annoyance and not really a critical bug, I'm not comfortable sending this to the stable folks.
kernel-3.14.2-200.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/kernel-3.14.2-200.fc20
Package kernel-3.14.2-200.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing kernel-3.14.2-200.fc20' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-5808/kernel-3.14.2-200.fc20 then log in and leave karma (feedback).
kernel-3.14.2-200.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Had this bug today while using pipelight, a wine wrapper of the windows flash plugin for Firefox I am on fedora 20 with last updates