SELinux is preventing /usr/bin/skype from 'mmap_zero' accesses on the memprotect Unknown. ***** Plugin mmap_zero (53.1 confidence) suggests ************************** If you do not think /usr/bin/skype should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep threaded-ml /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Target Objects Unknown [ memprotect ] Source threaded-ml Source Path /usr/bin/skype Port <Ismeretlen> Host (removed) Source RPM Packages skype-2.2.0.25-fc10 Target RPM Packages Policy RPM selinux-policy-3.9.16-15.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.2-9.fc15.i686.PAE #1 SMP Wed Mar 30 16:47:28 UTC 2011 i686 i686 Alert Count 70 First Seen 2011. ápr. 18., hétfő, 20.29.02 CEST Last Seen 2011. ápr. 18., hétfő, 20.29.02 CEST Local ID 3202cf00-fbe2-4407-9c3a-f40a374329b4 Raw Audit Messages type=AVC msg=audit(1303151342.759:161): avc: denied { mmap_zero } for pid=2288 comm="threaded-ml" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1303151342.759:161): arch=i386 syscall=mmap2 per=400000 success=no exit=EACCES a0=0 a1=100000 a2=0 a3=4022 items=0 ppid=1405 pid=2288 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=threaded-ml exe=/usr/bin/skype subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null) Hash: threaded-ml,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero audit2allow #============= unconfined_execmem_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_execmem_t self:memprotect mmap_zero; audit2allow -R #============= unconfined_execmem_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_execmem_t self:memprotect mmap_zero;
Skype should not be requiring this. It is considered a very dangerous access and would not be allowed without lowering DAC permissions as well as SELinux. I would contact skype and report this as a serious regression.
I can see the same error on a fully updated Fedora 14 x86_64 with Skype wrapped with 32-bit libraries, but it is an intermittent problem, which does not happen always and it happens only when you start Skype the first time after a reboot. At the same time it seems that the Skype leaks memory causing a consumption of all the available memory and then crashing itself freeing the memory and the system becomes stable and normal again. You lunch it again and it works fine with no issue. Because the system is almost completely unresponsive when the issue happens it is very hard for me to investigate further. In /var/log/messages you can see: Apr 25 13:42:58 aspire gnome-session[2278]: EggSMClient-WARNING: Desktop file '/usr/share/applications/skype.desktop' has malformed Icon key 'skype.png'(should not include extension) Apr 26 21:31:43 aspire kernel: [ 722.470033] process `skype' is using obsolete setsockopt SO_BSDCOMPAT May 1 17:26:05 aspire kernel: [ 418.201228] process `skype' is using obsolete setsockopt SO_BSDCOMPAT May 1 17:28:56 aspire setroubleshoot: SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown. For complete SELinux messages. run sealert -l 5388cc43-e52a-4970-99dd-143cbda2e14e SELinux message itself then continues then for another 2-3 minutes every few seconds, I believe until Skype crashes. I use the same version of Skype on i686 Fedora 14 desktop with no problem at all for good few months. I wonder if it has anything to do with using Wi-Fi instead of wired net. skype-2.2.0.25-fc10.i586 Kernel: 2.6.35.12-88.fc14.x86_64 #1 SMP
Is skype using wine libraries?
(In reply to comment #3) > Is skype using wine libraries? No, it's the native Linux client downloaded from: http://www.skype.com/go/getskype-linux-beta-fc10 It depends only on qt4 and dbus.
No, it's not using wine libs. [gescape@aspire 3250]$ ldd /usr/bin/skype not a dynamic executable [gescape@aspire 3250]$ rpm -qi skype Name : skype Relocations: (not relocatable) Version : 2.2.0.25 Vendor: (none) Release : fc10 Build Date: Wed 30 Mar 2011 02:00:03 PM IST Install Date: Tue 19 Apr 2011 01:56:53 AM IST Build Host: tll-popeye Group : Applications/Internet Source RPM: skype-2.2.0.25-fc10.src.rpm Size : 28730980 License: Commercial Signature : (none) [gescape@aspire ~]$ rpm -qa | grep skype skype-2.2.0.25-fc10.i586 [gescape@aspire ~]$ rpm -ql skype-2.2.0.25-fc10.i586 /etc/dbus-1/system.d/skype.conf /etc/prelink.conf.d/skype.conf /usr/bin/skype /usr/share/applications/skype.desktop /usr/share/doc/skype-2.2.0.25 /usr/share/doc/skype-2.2.0.25/LICENSE /usr/share/doc/skype-2.2.0.25/README /usr/share/icons/skype.png /usr/share/pixmaps/skype.png /usr/share/skype/lang/skype_bg.qm /usr/share/skype/lang/skype_bg.ts /usr/share/skype/lang/skype_de.qm /usr/share/skype/lang/skype_de.ts /usr/share/skype/lang/skype_en.qm /usr/share/skype/lang/skype_en.ts /usr/share/skype/lang/skype_es.qm /usr/share/skype/lang/skype_es.ts /usr/share/skype/lang/skype_et.qm /usr/share/skype/lang/skype_et.ts /usr/share/skype/lang/skype_fr.qm /usr/share/skype/lang/skype_fr.ts /usr/share/skype/lang/skype_it.qm /usr/share/skype/lang/skype_it.ts /usr/share/skype/lang/skype_ja.qm /usr/share/skype/lang/skype_ja.ts /usr/share/skype/lang/skype_ko.qm /usr/share/skype/lang/skype_ko.ts /usr/share/skype/lang/skype_lt.qm /usr/share/skype/lang/skype_lt.ts /usr/share/skype/lang/skype_lv.qm /usr/share/skype/lang/skype_lv.ts /usr/share/skype/lang/skype_pl.qm /usr/share/skype/lang/skype_pl.ts /usr/share/skype/lang/skype_pt_br.qm /usr/share/skype/lang/skype_pt_br.ts /usr/share/skype/lang/skype_pt_pt.qm /usr/share/skype/lang/skype_pt_pt.ts /usr/share/skype/lang/skype_ro.qm /usr/share/skype/lang/skype_ro.ts /usr/share/skype/lang/skype_ru.qm /usr/share/skype/lang/skype_ru.ts /usr/share/skype/lang/skype_th.qm /usr/share/skype/lang/skype_th.ts /usr/share/skype/lang/skype_tr.qm /usr/share/skype/lang/skype_tr.ts /usr/share/skype/lang/skype_uk.qm /usr/share/skype/lang/skype_uk.ts /usr/share/skype/lang/skype_zh_s.qm /usr/share/skype/lang/skype_zh_s.ts /usr/share/skype/lang/skype_zh_t.qm /usr/share/skype/lang/skype_zh_t.ts /usr/share/skype/sounds/CallBusy.wav /usr/share/skype/sounds/CallConnecting.wav /usr/share/skype/sounds/CallFailed.wav /usr/share/skype/sounds/CallHangup.wav /usr/share/skype/sounds/CallHold.wav /usr/share/skype/sounds/CallRemoteHangup.wav /usr/share/skype/sounds/CallResume.wav /usr/share/skype/sounds/CallRingingIn.wav /usr/share/skype/sounds/CallRingingOut.wav /usr/share/skype/sounds/ChatIncoming.wav /usr/share/skype/sounds/ChatIncomingInitial.wav /usr/share/skype/sounds/ChatOutgoing.wav /usr/share/skype/sounds/ContactAdded.wav /usr/share/skype/sounds/ContactAuthRequest.wav /usr/share/skype/sounds/ContactOffline.wav /usr/share/skype/sounds/ContactOnline.wav /usr/share/skype/sounds/SkypeLogin.wav /usr/share/skype/sounds/SkypeLogout.wav /usr/share/skype/sounds/TransferComplete.wav /usr/share/skype/sounds/TransferFailed.wav /usr/share/skype/sounds/TransferRequest.wav /usr/share/skype/sounds/VoicemailReceived.wav [gescape@aspire 3250]$ cat status Name: skype State: S (sleeping) Tgid: 3250 Pid: 3250 PPid: 1 TracerPid: 0 Uid: 500 500 500 500 Gid: 500 500 500 500 Utrace: 0 FDSize: 1024 Groups: 500 VmPeak: 331296 kB VmSize: 308944 kB VmLck: 0 kB VmHWM: 78300 kB VmRSS: 72404 kB VmData: 129672 kB VmStk: 136 kB VmExe: 20316 kB VmLib: 71544 kB VmPTE: 368 kB VmSwap: 0 kB Threads: 15 SigQ: 0/28958 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000000001000 SigCgt: 00000001800144e8 CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: ffffffffffffffff Cpus_allowed: ff Cpus_allowed_list: 0-7 Mems_allowed: 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001 Mems_allowed_list: 0 voluntary_ctxt_switches: 144997 nonvoluntary_ctxt_switches: 68134
You could turn off the protection for the unconfined user setsebool -P mmap_low_allowed 1 Or just live with it hanging. But this is definitely a skype bug, that should be fixed, but if their latest code is for F10 and only a beta, I would not bet on them being responsive.
*** Bug 702813 has been marked as a duplicate of this bug. ***
I reported this problem into Skype JIRA: https://jira.skype.com/browse/SCL-746
SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown. ***** Plugin mmap_zero (53.1 confidence) suggests ************************** If you do not think /usr/bin/skype should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep threaded-ml /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Target Objects Unknown [ memprotect ] Source threaded-ml Source Path /usr/bin/skype Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux Zaid 2.6.38.7-30.fc15.i686 #1 SMP Fri May 27 06:02:17 UTC 2011 i686 i686 Alert Count 72 First Seen Wed 15 Jun 2011 07:12:48 PM IDT Last Seen Wed 15 Jun 2011 07:12:49 PM IDT Local ID 51e7a0f6-b6fe-4e6a-a8f5-890c29427d2a Raw Audit Messages type=AVC msg=audit(1308154369.469:162): avc: denied { mmap_zero } for pid=1729 comm="threaded-ml" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect Hash: threaded-ml,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero audit2allow #============= unconfined_execmem_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_execmem_t self:memprotect mmap_zero; audit2allow -R #============= unconfined_execmem_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_execmem_t self:memprotect mmap_zero;
I'm running Fedora 15, 64-Bit. Skype is 2.2.0.35 (beta?) 32-bit libraries installed, but I can't say for sure if they're all there. Cheese seems OK Skype runs, and I get the video of my counterpart, but he doesn't get mine. When I test the video from the Options menu (skype), it seems fine. Anyhow, I don't see any "video call" button anywhere on the interface (there is one in the windows version, so ?)
Fixed. I did a yum remove skype the same way I had installed, and then reconnected as root, using "su -" this time (instead of only "su"), and reinstalled. I also followed SELinux's fix recommendations. Now it works OK both ways. Apparently no need to bother about Xsane. It seems that it's perfectly normal that there is no "video call" button on the interface. Thanks ...