The below error is being generated even though: [root@plum ~]# getsebool wine_mmap_zero_ignore wine_mmap_zero_ignore --> on wine is being run from kmttg (http://code.google.com/p/kmttg/) to use a windows ad-skipping program (http://www.kaashoek.com/comskip/) for files from my DVR. It appears that unconfined_java_t is still used? [root@plum ~]# ls -lZ /usr/bin/wine /usr/bin/wine-preloader -rwxr-xr-x. root root system_u:object_r:wine_exec_t:s0 /usr/bin/wine -rwxr-xr-x. root root system_u:object_r:wine_exec_t:s0 /usr/bin/wine-preloader SELinux is preventing /usr/bin/wine-preloader from 'mmap_zero' accesses on the memprotect Unknown. ***** Plugin mmap_zero (53.1 confidence) suggests ************************** If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that wine-preloader should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/bin/wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_java_t:s0-s0: c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_java_t:s0-s0: c0.c1023 Target Objects Unknown [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Unknown> Host (removed) Source RPM Packages wine-core-1.3.9-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-19.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 Alert Count 42 First Seen Wed 22 Dec 2010 19:23:28 EST Last Seen Thu 30 Dec 2010 21:57:13 EST Local ID 56aae3c1-adac-45e8-a94d-361a794849e8 Raw Audit Messages type=AVC msg=audit(1293706633.184:455): avc: denied { mmap_zero } for pid=25751 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=memprotect wine-preloader,unconfined_java_t,unconfined_java_t,memprotect,mmap_zero type=SYSCALL msg=audit(1293706633.184:455): arch=i386 syscall=chmod success=no exit=EACCES a0=ffa70aa0 a1=0 a2=ffa70aa0 a3=0 items=0 ppid=1 pid=25751 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 key=(null) wine-preloader,unconfined_java_t,unconfined_java_t,memprotect,mmap_zero #============= unconfined_java_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_java_t self:memprotect mmap_zero;
Miroslav, looks like we need a transition from unconfined_java_t to wine_t.
Why wouldn't the policy need to allow transitions to anything bash can transition to?
Bradley, could you test it with the following local policy # cat mypol.te policy_module(mypol, 1.0) require{ type unconfined_java_t; } wine_domtrans(unconfined_java_t) and execute # make -f /usr/share/selinux/devel/Makefile # semodule -i mypol.pp
Bradley the problem is not with bash but the user context. Most users tend to run as unconfined_t and we have a rule that says unconfined_t processes running a program labeled wine_exec_t processes will transition to wine_t. We also have a rule that says unconfined_t process running programs labeled java_exec_t will transition to unconfined_java_t. But we did not know about a java app that runs a wine app. So we need a rule that says a process running as unconfined_java_t running a program labeled wine_exec_t will transition to wine_t.
that works, thanks.
Great. Addding to the default policy. Fixed in selinux-policy-3.9.7-20.fc14
When trying to open the windows version of energyXT2 (2.5.4) in wine I get the following warning on Fedora 14 x86_64 (selinux-policy-3.9.7-25.fc14) SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect Unknown. ***** Plugin wine (34.9 confidence) suggests ******************************* If you want to ignore this AVC because it is dangerous and your wine applications are working correctly. Then you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean. Do # setsebool -P wine_mmap_zero_ignore 1 ***** Plugin mmap_zero (34.9 confidence) suggests ************************** If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (28.0 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (3.94 confidence) suggests *************************** If you believe that wine-preloader should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Quellkontext unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Zielkontext unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Zielobjekte Unknown [ memprotect ] Quelle wine-preloader Quellpfad /usr/bin/wine-preloader Port <Unbekannt> Host hp550-01.slnet RPM-Pakete der Quelle wine-core-1.3.10-1.fc14 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.9.7-25.fc14 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Enforcing Rechnername hp550-01.slnet Plattform Linux hp550-01.slnet 2.6.33.7-149.rt30.1.fc14.ccrma.x86_64.rt #1 SMP PREEMPT RT Thu Dec 23 14:33:39 EST 2010 x86_64 x86_64 Anzahl der Alarme 2 Zuerst gesehen So 30 Jan 2011 17:59:15 CET Zuletzt gesehen So 30 Jan 2011 17:59:20 CET Lokale ID b00d0909-cb5f-421c-94f9-48461dc43483 Raw-Audit-Meldungen type=AVC msg=audit(1296406760.319:27965): avc: denied { mmap_zero } for pid=3702 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1296406760.319:27965): arch=i386 syscall=chmod success=no exit=EACCES a0=ff9e7d90 a1=10000 a2=ff9e7d90 a3=ff9e7d90 items=0 ppid=3683 pid=3702 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero audit2allow #============= wine_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow wine_t self:memprotect mmap_zero; audit2allow -R #============= wine_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow wine_t self:memprotect mmap_zero;
The alert tells you what to do, so why are you reporting it?
(In reply to comment #8) > The alert tells you what to do, so why are you reporting it? Hi Daniel, The following warning definitely implies that wine is very unsafe: "...Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue...." So I reported this issue... If Red-Hat / Fedore think Fedora is safe, then they should include a rule in SELinux so that this message does not pop-up frightening any user who sees it. Regards, Simon
(In reply to comment #8) > The alert tells you what to do, so why are you reporting it? Hi Daniel Sorry, I forget to ask, which of the 5 clis should I perform? I am just a normal user who can not tell his "catchall_boolean" from his "memprotect mmap_zero"..! Any advice would be appreciated. Regards, Simon
Why does wine's rpms not include any scripts to set this up? It's bit like buying a car without an engine... Best regards, Simon
Wine causes you to setup the system in an unsafe manner if you want to run certain wine apps as a normal user. mmap_zero has proven to be a repeated mechanism to take advantage of bugs in the kernel to take a machine over. This type of attack SELinux can not stop unless we stop the running of certain wine apps. You also need to turn off DAC protections to allow wine apps to work. BTW this is true not only in Fedora but Ubunto, Debian and I guess other linux distributions. # setsebool -P mmap_low_allowed 1 Will turn off the SELinux check, I do not remember the DAC access command. Well I guess it is more like wanting to run something on your car, that your car was not designed to use, and then having to leave the door unlocked to run it.
Hi Daniel Thanks for the quick reply. I guess I'll give up on the idea of using wine on this laptop. Shame really because there are one to two interesting audio apps that only come in windows closed source binary variety... Do you know if there is any development on wine to get around this security problem? Or is there an option to run wine in a sandbox? Also, does this security problem also apply to virtual box /qemu etc.? Regards, Simon
Running Windows within a virtual machine is much safer then running wine apps with mmap_zero turned off. BTW Did you wine apps blow up when running in wine? Sometimes wine requests this access but does not really need it.
(In reply to comment #14) > BTW Did you wine apps blow up when running in wine? Sometimes wine requests > this access but does not really need it. Yep, energyXT2 zonked out at the start!!!
selinux-policy-3.9.7-42.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14
Package selinux-policy-3.9.7-42.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-42.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14 then log in and leave karma (feedback).
Same issue occurs for selinux-policy-3.9.16-26.fc15.
*** Bug 689938 has been marked as a duplicate of this bug. ***
selinux-policy-3.9.7-42.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
I've noticed that this issue seems to appearing again. The current selinux-policy package I'm using is: selinux-policy-3.11.1-97.fc18.noarch Below is the selinux log: SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect . ***** Plugin mmap_zero (34.9 confidence) suggests ************************** If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin wine (34.9 confidence) suggests ******************************* If you want to ignore this AVC because it is dangerous and your wine applications are working correctly. Then you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean. Do # setsebool -P wine_mmap_zero_ignore 1 ***** Plugin catchall_boolean (28.0 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. You can read 'wine_selinux' man page for more details. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (3.94 confidence) suggests *************************** If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Objects [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Unknown> Host localhost.localdomain Source RPM Packages wine-core-1.5.29-1.fc18.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-97.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.9.4-200.fc18.x86_64 #1 SMP Fri May 24 20:10:49 UTC 2013 x86_64 x86_64 Alert Count 5 First Seen 2013-06-02 12:52:07 EDT Last Seen 2013-06-02 12:55:10 EDT Local ID 3faeda2e-719a-4298-b8c5-f0b1d3d7bcbb Raw Audit Messages type=AVC msg=audit(1370192110.364:410): avc: denied { mmap_zero } for pid=4188 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1370192110.364:410): arch=i386 syscall=chmod success=no exit=EACCES a0=ffabeae0 a1=ffabeae0 a2=0 a3=ffabeca4 items=0 ppid=2123 pid=4188 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=pts0 comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero audit2allow #============= wine_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow wine_t self:memprotect mmap_zero; audit2allow -R require { type wine_t; class memprotect mmap_zero; } #============= wine_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow wine_t self:memprotect mmap_zero;
Still the same. The alert tells you what to do. Does it work in enforcing mode?