697616 – SELinux is preventing /usr/bin/skype from 'mmap_zero' accesses on the memprotect Unknown.

Bug 697616 - SELinux is preventing /usr/bin/skype from 'mmap_zero' accesses on the memprotect Unknown.

Summary: SELinux is preventing /usr/bin/skype from 'mmap_zero' accesses on the memprot...

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	i386
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:0070597cdea...
Duplicates (1):	702813 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-18 18:31 UTC by Hegyi Szabolcs
Modified:	2012-01-23 23:18 UTC (History)
CC List:	34 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-06 17:51:36 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Hegyi Szabolcs 2011-04-18 18:31:52 UTC

SELinux is preventing /usr/bin/skype from 'mmap_zero' accesses on the memprotect Unknown.

*****  Plugin mmap_zero (53.1 confidence) suggests  **************************

If you do not think /usr/bin/skype should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep threaded-ml /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ memprotect ]
Source                        threaded-ml
Source Path                   /usr/bin/skype
Port                          <Ismeretlen>
Host                          (removed)
Source RPM Packages           skype-2.2.0.25-fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.2-9.fc15.i686.PAE #1 SMP Wed Mar 30
                              16:47:28 UTC 2011 i686 i686
Alert Count                   70
First Seen                    2011. ápr. 18., hétfő, 20.29.02 CEST
Last Seen                     2011. ápr. 18., hétfő, 20.29.02 CEST
Local ID                      3202cf00-fbe2-4407-9c3a-f40a374329b4

Raw Audit Messages
type=AVC msg=audit(1303151342.759:161): avc:  denied  { mmap_zero } for  pid=2288 comm="threaded-ml" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect


type=SYSCALL msg=audit(1303151342.759:161): arch=i386 syscall=mmap2 per=400000 success=no exit=EACCES a0=0 a1=100000 a2=0 a3=4022 items=0 ppid=1405 pid=2288 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=threaded-ml exe=/usr/bin/skype subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)

Hash: threaded-ml,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero

audit2allow

#============= unconfined_execmem_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_execmem_t self:memprotect mmap_zero;

audit2allow -R

#============= unconfined_execmem_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_execmem_t self:memprotect mmap_zero;

Comment 1 Daniel Walsh 2011-04-18 19:25:24 UTC

Skype should not be requiring this.  It is considered a very dangerous access and would not be allowed without lowering DAC permissions as well as SELinux.

I would contact skype and report this as a serious regression.

Comment 2 Grzegorz Witkowski 2011-05-01 16:57:01 UTC

I can see the same error on a fully updated Fedora 14 x86_64 with Skype wrapped with 32-bit libraries, but it is an intermittent problem, which does not happen always and it happens only when you start Skype the first time after a reboot. At the same time it seems that the Skype leaks memory causing a consumption of all the available memory and then crashing itself freeing the memory and the system becomes stable and normal again. You lunch it again and it works fine with no issue. Because the system is almost completely unresponsive when the issue happens it is very hard for me to investigate further.
In /var/log/messages you can see:

Apr 25 13:42:58 aspire gnome-session[2278]: EggSMClient-WARNING: Desktop file '/usr/share/applications/skype.desktop' has malformed Icon key 'skype.png'(should not include extension)
Apr 26 21:31:43 aspire kernel: [ 722.470033] process `skype' is using obsolete setsockopt SO_BSDCOMPAT
May 1 17:26:05 aspire kernel: [ 418.201228] process `skype' is using obsolete setsockopt SO_BSDCOMPAT
May 1 17:28:56 aspire setroubleshoot: SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown. For complete SELinux messages. run sealert -l 5388cc43-e52a-4970-99dd-143cbda2e14e

SELinux message itself then continues then for another 2-3 minutes every few seconds, I believe until Skype crashes.

I use the same version of Skype on i686 Fedora 14 desktop with no problem at all for good few months. I wonder if it has anything to do with using Wi-Fi instead of wired net.

skype-2.2.0.25-fc10.i586
Kernel: 2.6.35.12-88.fc14.x86_64 #1 SMP

Comment 3 Daniel Walsh 2011-05-03 18:10:50 UTC

Is skype using wine libraries?

Comment 4 Nicola Soranzo 2011-05-03 20:32:27 UTC

(In reply to comment #3)
> Is skype using wine libraries?

No, it's the native Linux client downloaded from:

http://www.skype.com/go/getskype-linux-beta-fc10

It depends only on qt4 and dbus.

Comment 5 Grzegorz Witkowski 2011-05-04 00:55:58 UTC

No, it's not using wine libs.

[gescape@aspire 3250]$ ldd /usr/bin/skype 
	not a dynamic executable

[gescape@aspire 3250]$ rpm -qi skype
Name        : skype                        Relocations: (not relocatable)
Version     : 2.2.0.25                          Vendor: (none)
Release     : fc10                          Build Date: Wed 30 Mar 2011 02:00:03 PM IST
Install Date: Tue 19 Apr 2011 01:56:53 AM IST      Build Host: tll-popeye
Group       : Applications/Internet         Source RPM: skype-2.2.0.25-fc10.src.rpm
Size        : 28730980                         License: Commercial
Signature   : (none)


[gescape@aspire ~]$ rpm -qa | grep skype
skype-2.2.0.25-fc10.i586

[gescape@aspire ~]$ rpm -ql skype-2.2.0.25-fc10.i586
/etc/dbus-1/system.d/skype.conf
/etc/prelink.conf.d/skype.conf
/usr/bin/skype
/usr/share/applications/skype.desktop
/usr/share/doc/skype-2.2.0.25
/usr/share/doc/skype-2.2.0.25/LICENSE
/usr/share/doc/skype-2.2.0.25/README
/usr/share/icons/skype.png
/usr/share/pixmaps/skype.png
/usr/share/skype/lang/skype_bg.qm
/usr/share/skype/lang/skype_bg.ts
/usr/share/skype/lang/skype_de.qm
/usr/share/skype/lang/skype_de.ts
/usr/share/skype/lang/skype_en.qm
/usr/share/skype/lang/skype_en.ts
/usr/share/skype/lang/skype_es.qm
/usr/share/skype/lang/skype_es.ts
/usr/share/skype/lang/skype_et.qm
/usr/share/skype/lang/skype_et.ts
/usr/share/skype/lang/skype_fr.qm
/usr/share/skype/lang/skype_fr.ts
/usr/share/skype/lang/skype_it.qm
/usr/share/skype/lang/skype_it.ts
/usr/share/skype/lang/skype_ja.qm
/usr/share/skype/lang/skype_ja.ts
/usr/share/skype/lang/skype_ko.qm
/usr/share/skype/lang/skype_ko.ts
/usr/share/skype/lang/skype_lt.qm
/usr/share/skype/lang/skype_lt.ts
/usr/share/skype/lang/skype_lv.qm
/usr/share/skype/lang/skype_lv.ts
/usr/share/skype/lang/skype_pl.qm
/usr/share/skype/lang/skype_pl.ts
/usr/share/skype/lang/skype_pt_br.qm
/usr/share/skype/lang/skype_pt_br.ts
/usr/share/skype/lang/skype_pt_pt.qm
/usr/share/skype/lang/skype_pt_pt.ts
/usr/share/skype/lang/skype_ro.qm
/usr/share/skype/lang/skype_ro.ts
/usr/share/skype/lang/skype_ru.qm
/usr/share/skype/lang/skype_ru.ts
/usr/share/skype/lang/skype_th.qm
/usr/share/skype/lang/skype_th.ts
/usr/share/skype/lang/skype_tr.qm
/usr/share/skype/lang/skype_tr.ts
/usr/share/skype/lang/skype_uk.qm
/usr/share/skype/lang/skype_uk.ts
/usr/share/skype/lang/skype_zh_s.qm
/usr/share/skype/lang/skype_zh_s.ts
/usr/share/skype/lang/skype_zh_t.qm
/usr/share/skype/lang/skype_zh_t.ts
/usr/share/skype/sounds/CallBusy.wav
/usr/share/skype/sounds/CallConnecting.wav
/usr/share/skype/sounds/CallFailed.wav
/usr/share/skype/sounds/CallHangup.wav
/usr/share/skype/sounds/CallHold.wav
/usr/share/skype/sounds/CallRemoteHangup.wav
/usr/share/skype/sounds/CallResume.wav
/usr/share/skype/sounds/CallRingingIn.wav
/usr/share/skype/sounds/CallRingingOut.wav
/usr/share/skype/sounds/ChatIncoming.wav
/usr/share/skype/sounds/ChatIncomingInitial.wav
/usr/share/skype/sounds/ChatOutgoing.wav
/usr/share/skype/sounds/ContactAdded.wav
/usr/share/skype/sounds/ContactAuthRequest.wav
/usr/share/skype/sounds/ContactOffline.wav
/usr/share/skype/sounds/ContactOnline.wav
/usr/share/skype/sounds/SkypeLogin.wav
/usr/share/skype/sounds/SkypeLogout.wav
/usr/share/skype/sounds/TransferComplete.wav
/usr/share/skype/sounds/TransferFailed.wav
/usr/share/skype/sounds/TransferRequest.wav
/usr/share/skype/sounds/VoicemailReceived.wav


[gescape@aspire 3250]$ cat status 
Name:	skype
State:	S (sleeping)
Tgid:	3250
Pid:	3250
PPid:	1
TracerPid:	0
Uid:	500	500	500	500
Gid:	500	500	500	500
Utrace:	0
FDSize:	1024
Groups:	500 
VmPeak:	  331296 kB
VmSize:	  308944 kB
VmLck:	       0 kB
VmHWM:	   78300 kB
VmRSS:	   72404 kB
VmData:	  129672 kB
VmStk:	     136 kB
VmExe:	   20316 kB
VmLib:	   71544 kB
VmPTE:	     368 kB
VmSwap:	       0 kB
Threads:	15
SigQ:	0/28958
SigPnd:	0000000000000000
ShdPnd:	0000000000000000
SigBlk:	0000000000000000
SigIgn:	0000000000001000
SigCgt:	00000001800144e8
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	ffffffffffffffff
Cpus_allowed:	ff
Cpus_allowed_list:	0-7
Mems_allowed:	00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list:	0
voluntary_ctxt_switches:	144997
nonvoluntary_ctxt_switches:	68134

Comment 6 Daniel Walsh 2011-05-06 17:51:36 UTC

You could turn off the protection for the unconfined user 

setsebool -P mmap_low_allowed 1

Or just live with it hanging.  But this is definitely a skype bug, that should be fixed, but if their latest code is for F10 and only a beta, I would not bet on them being responsive.

Comment 7 Daniel Walsh 2011-05-09 15:41:52 UTC

*** Bug 702813 has been marked as a duplicate of this bug. ***

Comment 8 Julian Sikorski 2011-05-13 21:53:18 UTC

I reported this problem into Skype JIRA:
https://jira.skype.com/browse/SCL-746

Comment 9 zaid-st 2011-06-15 16:57:22 UTC

SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.

*****  Plugin mmap_zero (53.1 confidence) suggests  **************************

If you do not think /usr/bin/skype should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep threaded-ml /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ memprotect ]
Source                        threaded-ml
Source Path                   /usr/bin/skype
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux Zaid 2.6.38.7-30.fc15.i686 #1 SMP Fri May 27
                              06:02:17 UTC 2011 i686 i686
Alert Count                   72
First Seen                    Wed 15 Jun 2011 07:12:48 PM IDT
Last Seen                     Wed 15 Jun 2011 07:12:49 PM IDT
Local ID                      51e7a0f6-b6fe-4e6a-a8f5-890c29427d2a

Raw Audit Messages
type=AVC msg=audit(1308154369.469:162): avc:  denied  { mmap_zero } for  pid=1729 comm="threaded-ml" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect


Hash: threaded-ml,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero

audit2allow

#============= unconfined_execmem_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_execmem_t self:memprotect mmap_zero;

audit2allow -R

#============= unconfined_execmem_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_execmem_t self:memprotect mmap_zero;

Comment 10 LamerMan 2011-11-13 11:48:50 UTC

I'm running Fedora 15, 64-Bit. Skype is 2.2.0.35 (beta?)
32-bit libraries installed, but I can't say for sure if they're all there.
Cheese seems OK
Skype runs, and I get the video of my counterpart, but he doesn't get mine.
When I test the video from the Options menu (skype), it seems fine.
Anyhow, I don't see any "video call" button anywhere on the interface (there is one in the windows version, so ?)

Comment 11 LamerMan 2011-11-16 20:24:20 UTC

Fixed. I did a yum remove skype the same way I had installed, and then reconnected as root, using "su -" this time (instead of only "su"), and reinstalled. I also followed SELinux's fix recommendations. Now it works OK both ways.
Apparently no need to bother about Xsane.
It seems that it's perfectly normal that there is no "video call" button on the interface.
Thanks ...

Note You need to log in before you can comment on or make changes to this bug.

alex179ohm
alizekft
belegdol
claudio.guima
denis.keller1
dirtdart666
doctore
dwalsh
eparis
geslinux
haildmitry
igeorgex
jan.vicha
josian2200
larieu
le2ka
macleod2486
mgrepl
ms
nomad0227
nsoranzo
oeffoeff1967
old.uncle.z
paul.girault
peljasz
postawa
reis.lucia
rtekel
tony
viabsb
vic.uned
vmedrea
xfirebg
zaid-st