Bug 730453 - SELinux is preventing /usr/bin/skype from 'mmap_zero' accesses on the memprotect Unknown.
Summary: SELinux is preventing /usr/bin/skype from 'mmap_zero' accesses on the memprot...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:bc079912ec4...
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-13 04:48 UTC by Hicham HAOUARI
Modified: 2012-02-01 17:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-10-08 20:26:51 UTC

Attachments (Terms of Use)

Description Hicham HAOUARI 2011-08-13 04:48:57 UTC
SELinux is preventing /usr/bin/skype from 'mmap_zero' accesses on the memprotect Unknown.

*****  Plugin mmap_zero (53.1 confidence) suggests  **************************

If you do not think /usr/bin/skype should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep skype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
Target Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
Target Objects                Unknown [ memprotect ]
Source                        skype
Source Path                   /usr/bin/skype
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           skype-
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-42.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) #1 SMP Sat May
                              21 17:39:42 UTC 2011 i686 i686
Alert Count                   82
First Seen                    Sat 13 Aug 2011 04:46:13 AM WET
Last Seen                     Sat 13 Aug 2011 04:46:53 AM WET
Local ID                      0f121363-851f-4afb-a9a7-56d4bc449340

Raw Audit Messages
type=AVC msg=audit(1313210813.907:27161): avc:  denied  { mmap_zero } for  pid=2565 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect

type=SYSCALL msg=audit(1313210813.907:27161): arch=i386 syscall=mmap2 per=400000 success=no exit=EACCES a0=0 a1=100000 a2=0 a3=4022 items=0 ppid=1 pid=2565 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=skype exe=/usr/bin/skype subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)

Hash: skype,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero


#============= unconfined_execmem_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_execmem_t self:memprotect mmap_zero;

audit2allow -R

#============= unconfined_execmem_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_execmem_t self:memprotect mmap_zero;

Comment 1 Daniel Walsh 2011-08-15 11:09:52 UTC
As the alert tells you, this is not something we want to allow.  You should report it as a bug to skype.  If skype continues to work file and just generates this ugly AVC, I would suggest you add a dontaudit rule and would be abel to continue to use the product.

Otherwise if you want to you can turn the boolean on, and lower your SELinux protections.

Note You need to log in before you can comment on or make changes to this bug.