Description of problem: SELinux is preventing check from 'mmap_zero' accesses on the memprotect labeled spc_t. ***** Plugin mmap_zero (53.1 confidence) suggests ************************* If you do not think check should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow mmap to low allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If you believe that check should be allowed mmap_zero access on memprotect labeled spc_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'check' --raw | audit2allow -M my-check # semodule -X 300 -i my-check.pp Additional Information: Source Context system_u:system_r:spc_t:s0 Target Context system_u:system_r:spc_t:s0 Target Objects Unknown [ memprotect ] Source check Source Path check Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.20-1.fc38.noarch Local Policy RPM container-selinux-2.219.0-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.3.12-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 6 04:05:18 UTC 2023 x86_64 Alert Count 45 First Seen 2023-07-13 10:37:01 CEST Last Seen 2023-07-13 10:37:02 CEST Local ID c3888152-0a49-459f-a1a5-dcdc53efcc4e Raw Audit Messages type=AVC msg=audit(1689237422.574:677): avc: denied { mmap_zero } for pid=19187 comm="check" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0 Hash: check,spc_t,spc_t,memprotect,mmap_zero Version-Release number of selected component: selinux-policy-targeted-38.20-1.fc38.noarch Additional info: reporter: libreport-2.17.11 kernel: 6.3.12-200.fc38.x86_64 package: selinux-policy-targeted-38.20-1.fc38.noarch hashmarkername: setroubleshoot reason: SELinux is preventing check from 'mmap_zero' accesses on the memprotect labeled spc_t. type: libreport component: container-selinux component: container-selinux Potential duplicate: bug 2169154
Created attachment 1975603 [details] File: os_info
Created attachment 1975604 [details] File: description
Probably: Using Microsoft 2FA authenticator app to set up a VPN via NetworkManager. kernel: 6.4.7-200.fc38.x86_64 package: selinux-policy-targeted-38.20-1.fc38.noarch hashmarkername: setroubleshoot reason: SELinux is preventing check from 'mmap_zero' accesses on the memprotect labeled spc_t. type: libreport comment: Probably: Using Microsoft 2FA authenticator app to set up a VPN via NetworkManager.