I'm not sure if this is something that should be allowed by default, or if the end-user should make an explicit choice. Also, I'm not even too sure what the security implications of this switch are. ============================================================================== SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect Unknown. ***** Plugin wine (34.9 confidence) suggests ******************************* If you want to ignore this AVC because it is dangerous and your wine applications are working correctly. Then you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean. Do # setsebool -P wine_mmap_zero_ignore 1 ***** Plugin mmap_zero (34.9 confidence) suggests ************************** If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (28.0 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (3.94 confidence) suggests *************************** If you believe that wine-preloader should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Objects Unknown [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Unknown> Host localhost.localdomain Source RPM Packages wine-core-1.3.14-2.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 4 First Seen Mon 21 Mar 2011 11:32:35 PM PDT Last Seen Tue 22 Mar 2011 12:47:22 PM PDT Local ID 18acfc4b-d746-4a67-9901-0a6a82fe2821 Raw Audit Messages type=AVC msg=audit(1300823242.86:13): avc: denied { mmap_zero } for pid=2192 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1300823242.86:13): arch=i386 syscall=chmod success=no exit=EACCES a0=ffcaf100 a1=10000 a2=ffcaf100 a3=ffcaf100 items=0 ppid=2150 pid=2192 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero audit2allow #============= wine_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow wine_t self:memprotect mmap_zero; audit2allow -R #============= wine_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow wine_t self:memprotect mmap_zero;
That's a duplicate of bug 666363, isn't it?
Looks like it, but I don't know enough about the technical details to say for sure. I'll leave that judgement call in your capable hands.
*** This bug has been marked as a duplicate of bug 666363 ***