Description of problem: SELinux is preventing /usr/sbin/monitor-get-edid-using-vbe from mmap_zero access on the memprotect Unknown. Version-Release number of selected component (if applicable): How reproducible: monitor-edid Steps to Reproduce: 1. Install RHEL7 2. Install or configure EPEL repo 3. Install ocsinventory-agent, it will install monitor-edid as a dependency 4. Install and configure setroubleshoot so that you receive emails for SELinux avcs 4. Wait Actual results: A setroubleshoot email is received, related to an avc caused by monitor-get-edi Expected results: Nothing Additional info: Body of email: --- SELinux is preventing /usr/sbin/monitor-get-edid-using-vbe from mmap_zero access on the memprotect Unknown. ***** Plugin mmap_zero (53.1 confidence) suggests ************************* If you do not think /usr/sbin/monitor-get-edid-using-vbe should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow mmap to low allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. You can read 'None' man page for more details. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If you believe that monitor-get-edid-using-vbe should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep monitor-get-edi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 Target Context system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 Target Objects Unknown [ memprotect ] Source monitor-get-edi Source Path /usr/sbin/monitor-get-edid-using-vbe Port <Unknown> Host hostname.xxx Source RPM Packages monitor-edid-3.0-6.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name hostname.xxxxx Platform Linux hostname.xxxxx 3.10.0-327.4.4.el7.x86_64 #1 SMP Thu Dec 17 15:51:24 EST 2015 x86_64 x86_64 Alert Count 841 First Seen 2016-03-23 11:02:08 EDT Last Seen 2016-04-13 06:01:11 EDT Local ID aa044bfc-fdbb-4e64-a697-bff56c686a46 Raw Audit Messages type=AVC msg=audit(1460541671.405:515684): avc: denied { mmap_zero } for pid=11104 comm="monitor-get-edi" scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1460541671.405:515684): arch=x86_64 syscall=mmap success=no exit=EACCES a0=f000 a1=502 a2=7 a3=11 items=0 ppid=11103 pid=11104 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=53254 comm=monitor-get-edi exe=/usr/sbin/monitor-get-edid-using-vbe subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 key=(null) Hash: monitor-get-edi,system_cronjob_t,system_cronjob_t,memprotect,mmap_zero
Please note that the problem is also present on EL6. Bugs have been created in Red Hab Bugzilla, but they were closed (see https://bugzilla.redhat.com/show_bug.cgi?id=742691). However, I don't understand why they weren't transferred to the EPEL team.