Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1568310 - SELinux is preventing wine-preloader from 'mmap_zero' accesses on the memprotect Unknown.
Summary: SELinux is preventing wine-preloader from 'mmap_zero' accesses on the memprot...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7774f653e3da691a306c93c01e6...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-17 08:25 UTC by ricky.tigg
Modified: 2018-04-17 13:10 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-17 13:10:34 UTC
Type: ---


Attachments (Terms of Use)
File: wine_InSpectre.txt (2.87 KB, text/plain)
2018-04-17 08:25 UTC, ricky.tigg
no flags Details

Description ricky.tigg 2018-04-17 08:25:03 UTC
Description of problem:
A third-part software InSpectre, which is an utility aimed to investigate issues related to Meltdown and Spectre attacks, was run as administrator.
$ su -c 'wine '/home/yk/Lataukset/InSpectre.exe''
SELinux is preventing wine-preloader from 'mmap_zero' accesses on the memprotect Unknown.

*****  Plugin mmap_zero (53.1 confidence) suggests   *************************

If you do not think wine-preloader should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow mmap to low allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.

Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that wine-preloader should be allowed mmap_zero access on the Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader
# semodule -X 300 -i my-winepreloader.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ memprotect ]
Source                        wine-preloader
Source Path                   wine-preloader
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-19.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.2-300.fc28.x86_64 #1 SMP Thu
                              Apr 12 14:58:07 UTC 2018 x86_64 x86_64
Alert Count                   4
First Seen                    2018-04-17 10:05:59 CEST
Last Seen                     2018-04-17 10:07:36 CEST
Local ID                      24205348-633c-4181-873a-1c4fb5027d26

Raw Audit Messages
type=AVC msg=audit(1523952456.304:325): avc:  denied  { mmap_zero } for  pid=7322 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect permissive=0


Hash: wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero

Version-Release number of selected component:
selinux-policy-3.14.1-19.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.2-300.fc28.x86_64
type:           libreport

Potential duplicate: bug 1278290

Comment 1 ricky.tigg 2018-04-17 08:25:09 UTC
Created attachment 1422943 [details]
File: wine_InSpectre.txt

Comment 2 Lukas Vrabec 2018-04-17 13:10:34 UTC
Hi, 

It's make sense that SELinux block this right? That tools is for testing critical security vulnerabilities and you reported bug to allow this kind of access. It doesn't make sense. 

If you would like to use it anyway, please use following boolean  from your report: 

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow mmap to low allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.

Do
setsebool -P mmap_low_allowed 1


Note You need to log in before you can comment on or make changes to this bug.