Found following AVC denial in the audit.log. Not sure whether a SELinux bug or vbetool bug. ---- time->Wed Oct 21 14:29:16 2009 type=SYSCALL msg=audit(1256128156.308:5): arch=40000003 syscall=192 success=no exit=-13 a0=1000 a1=a0000 a2=7 a3=11 items=0 ppid=301 pid=313 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vbetool" exe="/usr/sbin/vbetool" subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1256128156.308:5): avc: denied { mmap_zero } for pid=313 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect /var/log/messages <snip> Oct 20 14:05:35 dhcp-lab-174 kernel: dracut: Switching root Oct 20 14:05:35 dhcp-lab-174 kernel: type=1129 audit(1256047521.548:4): user pid=223 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='old-level=0 new-level=S: exe="/sbin/r unlevel" hostname=? addr=? terminal=console res=success' Oct 20 14:05:35 dhcp-lab-174 kernel: udev: starting version 145 Oct 20 14:05:35 dhcp-lab-174 kernel: piix4_smbus 0000:00:01.3: SMBus Host Controller at 0xb100, revision 0 Oct 20 14:05:35 dhcp-lab-174 kernel: type=1400 audit(1256040326.455:5): avc: denied { mmap_zero } for pid=346 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect Oct 20 14:05:35 dhcp-lab-174 kernel: type=1300 audit(1256040326.455:5): arch=40000003 syscall=192 success=no exit=-13 a0=1000 a1=a0000 a2=7 a3=11 items=0 ppid=306 pid=346 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vbetool" exe="/usr/sbin/vbetool" subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null)
It is a bug in vbetool. It should not need this access. You can allow this if your suspend/resume is not working by turning on the mmap_low_allowed boolean setsebool -P mmap_low_allowed 1 This does open you to potential kernel vulnerabilities.
vbetool needs to execute code from the low page. I'm not clear on how it's possible to preserve its functionality without doing so.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
libx86-1.1-9.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/libx86-1.1-9.fc12
libx86-1.1-9.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update libx86'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-11717
Update to the testing pkgs does not solve the AVC denial and introduces a segfault. # rpm -q vbetool libx86 vbetool-1.2.2-1.fc12.i686 # dmesg ... type=1400 audit(1258712950.694:6): avc: denied { mmap_zero } for pid=355 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect vbetool[355]: segfault at bfbe8c85 ip 0024453a sp bfbe8c85 error 6 in libc-2.10.90.so[129000+176000] ...
Getting this error on FC14 Beta RC3 ----------------------------------- Sep 21 23:07:34 localhost kernel: type=1400 audit(1285128448.952:4): avc: denied { mmap_zero } for pid=566 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect Sep 21 23:11:10 localhost kernel: type=1400 audit(1285128662.127:4): avc: denied { mmap_zero } for pid=563 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect --------------------------------------- Sep 21 23:07:34 localhost kernel: type=1400 audit(1285128448.952:4): avc: denied { mmap_zero } for pid=566 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect Was caused by: The boolean mmap_low_allowed was set incorrectly. Description: Control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Allow access by executing: # setsebool -P mmap_low_allowed 1 Sep 21 23:11:10 localhost kernel: type=1400 audit(1285128662.127:4): avc: denied { mmap_zero } for pid=563 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect Was caused by: The boolean mmap_low_allowed was set incorrectly. Description: Control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Allow access by executing: # setsebool -P mmap_low_allowed 1 --------------------------------------- kernel-2.6.35.4-28.fc14.x86_64 selinux-policy-targeted-3.9.3-4.fc14.noarch vbetool-1.2.2-1.fc12.x86_64 libx86-1.1-9.fc13.x86_64
See also bug 518351 -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
libx86-1.1-9.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.