Description of problem: I'm not sure if this is a bug in kdevelop or in selinux-policy Here's the SELinux alert text: SELinux is preventing /usr/bin/kdevelop from mmap_zero access on the memprotect Unknown. ***** Plugin mmap_zero (53.1 confidence) suggests ************************** If you do not think /usr/bin/kdevelop should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that kdevelop should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep kdevelop /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects Unknown [ memprotect ] Source kdevelop Source Path /usr/bin/kdevelop Port <Unknown> Host juniper Source RPM Packages kdevelop-4.2.3-3.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name juniper Platform Linux juniper 2.6.40.6-0.fc15.i686.PAE #1 SMP Tue Oct 4 00:44:38 UTC 2011 i686 i686 Alert Count 5 First Seen Fri Oct 14 08:47:11 2011 Last Seen Fri Oct 14 08:47:11 2011 Local ID 240b891a-e4c1-4064-8a82-ff606a6ddc7c Raw Audit Messages type=AVC msg=audit(1318574831.957:2146): avc: denied { mmap_zero } for pid=25036 comm="kdevelop" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1318574831.957:2146): arch=i386 syscall=mmap2 success=no exit=EACCES a0=0 a1=11000 a2=3 a3=22 items=0 ppid=24150 pid=25036 auid=2165 uid=2165 gid=2026 euid=2165 suid=2165 fsuid=2165 egid=2026 sgid=2026 fsgid=2026 tty=(none) ses=186 comm=kdevelop exe=/usr/bin/kdevelop subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: kdevelop,unconfined_t,unconfined_t,memprotect,mmap_zero audit2allow #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_t self:memprotect mmap_zero; audit2allow -R #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_t self:memprotect mmap_zero; Version-Release number of selected component (if applicable): kdevelop-4.2.3-3.fc15.i686 selinux-policy-3.9.16-39.fc15.noarch selinux-policy-targeted-3.9.16-39.fc15.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
This is a very dangerous access, this domain should not need it.
Without a backtrace of where KDevelop is trying to mmap NULL, I don't think we'll be able to fix this. So can we get such a backtrace? (AFAICS, the problem here is that SELinux fails the syscall with an error code rather than segfaulting the application, so it's hard to get a backtrace.)
Would I get a backtrace if I switch SELinux to permissive mode?
For starters, any clues on how to reproduce this?
> Would I get a backtrace if I switch SELinux to permissive mode? No. Permissive mode will not give you ANY backtraces, even for those actions where SELinux does produce a segfault in enforcing mode.
Though actually… If the code then tries to use the result of mmap with no error checking, you may get a segfault and thus a backtrace in permissive mode. So it's worth a try. But I'm not positive.
SELinux is just going to give permission denied.
So I guess we need some kind of watchpoint to intercept the bad call?
I'm sorry for wasting everyone's time. It's a kernel bug that I really need to get fixed upstream. It can happen with the perfect memory layout and set of allocations. The kernel, when picking a location for the mmap, tries to use an address that is lower than permissions allow. I need to stop the kernel from trying to use such addresses. I thought I had a bug to dup this against, but I'm just going to take this one, since I can't find that bug.
*** Bug 825458 has been marked as a duplicate of this bug. ***
I think this is same problem: https://bugzilla.redhat.com/show_bug.cgi?id=665145
*** Bug 833550 has been marked as a duplicate of this bug. ***
It's not the same issue. KDevelop should NOT need mmap_zero, there is or was a kernel bug triggering it. WINE, on the other hand, IS expected to use mmap_zero, for DOS/Win16 compatibility.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Is this still an issue with the 3.9 kernels in F19?
I don't know how to reproduce this. It happened randomly.
Closing as insufficient data as it has been some time. If it pops up again, please reopen
Here's another occurrence of this same bug I believe. Alert message reads as follows: [root@d-p-13-40 log]# sealert -l 11960bc5-07fd-46aa-a6b9-7e57c3dfe342 SELinux is preventing /usr/bin/python2.7 from mmap_zero access on the memprotect Unknown. ***** Plugin mmap_zero (53.1 confidence) suggests ************************** If you do not think /usr/bin/python2.7 should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that python2.7 should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep paster /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp