Description of problem: Attempting to run google picasa generates an selinux alert. Version-Release number of selected component (if applicable): How reproducible: Every time Steps to Reproduce: 1. Install google picasa from google repo 2. Attempt to run picasa 3. Actual results: Selinux alert generated, can not turn off memory protection to allow it to run. Expected results: Memory protection is turned off as requested. Additional info: The "Fix command" appears to work from a root console but it does not work from the selinux security helper. This has happened on two separate F13 x86_64 installs. Selinux alert info: Summary: SELinux has prevented wine from performing an unsafe memory operation. Detailed Description: SELinux denied an operation requested by wine-preloader, a program used to run Windows applications under Linux. This program is known to use an unsafe operation on system memory but so are a number of malware/exploit programs which masquerade as wine. If you were attempting to run a Windows program your only choices are to allow this operation and reduce your system security against such malware or to refrain from running Windows applications under Linux. If you were not attempting to run a Windows application this indicates you are likely being attacked by some for of malware or program trying to exploit your system for nefarious purposes. Please refer to http://wiki.winehq.org/PreloaderPageZeroProblem Which outlines the other problems wine encounters due to its unsafe use of memory and solutions to those problems. Allowing Access: If you decide to continue to run the program in question you will need to allow this operation. This can be done on the command line by executing: # setsebool -P mmap_low_allowed 1 Fix Command: /usr/sbin/setsebool -P mmap_low_allowed 1 Additional Information: Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Objects None [ memprotect ] Source wine-preloader Source Path /opt/picasa/wine/bin/wine-preloader Port <Unknown> Host hobbes.localdomain Source RPM Packages picasa-2.7.3736-15 Target RPM Packages Policy RPM selinux-policy-3.7.19-33.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name wine Host Name hobbes.localdomain Platform Linux hobbes.localdomain 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 9 First Seen Sat 17 Jul 2010 10:44:59 PM CDT Last Seen Sat 17 Jul 2010 10:45:40 PM CDT Local ID 4651da9a-ee54-4672-bff3-26d875cf0736 Line Numbers Raw Audit Messages node=hobbes.localdomain type=AVC msg=audit(1279424740.659:46692): avc: denied { mmap_zero } for pid=14361 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect node=hobbes.localdomain type=SYSCALL msg=audit(1279424740.659:46692): arch=40000003 syscall=90 success=no exit=-13 a0=ffbd38e0 a1=ffbd38e0 a2=5a a3=7c002780 items=0 ppid=14132 pid=14361 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/opt/picasa/wine/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)
The alert tells you what to do. /usr/sbin/setsebool -P mmap_low_allowed 1
Yes, I know, I mentioned it worked in my bug report, but shouldn't the button still work? Is it not a bug that it provides a method to do that graphically but fails to work and gives an error message? Something to the effect of, "Unable to complete.", or something like that.
Ok I missed that line.
Upgrading to the F14/F15 version of setroubleshoot. Fixed in setroubleshoot-3.0.24-1.fc13
setroubleshoot-3.0.24-1.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/setroubleshoot-3.0.24-1.fc13
setroubleshoot-3.0.24-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update setroubleshoot'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/setroubleshoot-3.0.24-1.fc13
setroubleshoot-3.0.24-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.