Bug 730026 - SELinux is preventing /usr/sbin/vbetool from 'mmap_zero' accesses on the memprotect Unknown.
Summary: SELinux is preventing /usr/sbin/vbetool from 'mmap_zero' accesses on the memp...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:71b6811cb0f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-11 15:17 UTC by Lari Tanase
Modified: 2011-08-11 15:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-11 15:21:29 UTC


Attachments (Terms of Use)

Description Lari Tanase 2011-08-11 15:17:53 UTC
SELinux is preventing /usr/sbin/vbetool from 'mmap_zero' accesses on the memprotect Unknown.

*****  Plugin mmap_zero (34.9 confidence) suggests  **************************

If you do not think /usr/sbin/vbetool should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin vbetool (34.9 confidence) suggests  ****************************

If you want to ignore this AVC because it is dangerous and your machine seems to be working correctly.
Then you must tell SELinux about this by enabling the vbetool_mmap_zero_ignore boolean.
Do
# setsebool -P vbetool_mmap_zero_ignore 1

*****  Plugin catchall_boolean (28.0 confidence) suggests  *******************

If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (3.94 confidence) suggests  ***************************

If you believe that vbetool should be allowed mmap_zero access on the Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vbetool /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:vbetool_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:vbetool_t:s0-s0:c0.c1023
Target Objects                Unknown [ memprotect ]
Source                        vbetool
Source Path                   /usr/sbin/vbetool
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           vbetool-1.2.2-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40-4.fc15.x86_64 #1 SMP
                              Fri Jul 29 18:46:53 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 11 Aug 2011 05:15:34 PM CEST
Last Seen                     Thu 11 Aug 2011 05:16:02 PM CEST
Local ID                      2b7fba07-d27e-495a-bf4b-b7584e3dae70

Raw Audit Messages
type=AVC msg=audit(1313075762.379:100): avc:  denied  { mmap_zero } for  pid=8716 comm="vbetool" scontext=unconfined_u:unconfined_r:vbetool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect


type=SYSCALL msg=audit(1313075762.379:100): arch=x86_64 syscall=mmap success=no exit=EACCES a0=f000 a1=502 a2=7 a3=11 items=0 ppid=5272 pid=8716 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=vbetool exe=/usr/sbin/vbetool subj=unconfined_u:unconfined_r:vbetool_t:s0-s0:c0.c1023 key=(null)

Hash: vbetool,vbetool_t,vbetool_t,memprotect,mmap_zero

audit2allow

#============= vbetool_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow vbetool_t self:memprotect mmap_zero;

audit2allow -R

#============= vbetool_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow vbetool_t self:memprotect mmap_zero;

Comment 1 Daniel Walsh 2011-08-11 15:21:29 UTC
Probably best solution is to 

yum remove vbetool

You probably do not need it.

Otherwise the alert tells you what you can do.


Note You need to log in before you can comment on or make changes to this bug.