Bug 859625 - SELinux is preventing /home/ken/chrome-linux/nacl_helper_bootstrap from 'mmap_zero' accesses on the memprotect .
Summary: SELinux is preventing /home/ken/chrome-linux/nacl_helper_bootstrap from 'mmap...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:c33ae18f1c9fab33802eeef9aa6...
: 870670 885290 1046863 1258210 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2012-09-22 15:04 UTC by Kenneth J. Jaeger
Modified: 2015-08-31 12:15 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-09-24 11:15:50 UTC
Type: ---

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-09-22 15:04 UTC, Kenneth J. Jaeger
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-09-22 15:04 UTC, Kenneth J. Jaeger
no flags Details

Description Kenneth J. Jaeger 2012-09-22 15:04:00 UTC
Additional info:
libreport version: 2.0.13
kernel:         3.6.0-0.rc2.git2.1.fc18.x86_64

:SELinux is preventing /home/ken/chrome-linux/nacl_helper_bootstrap from 'mmap_zero' accesses on the memprotect .
:*****  Plugin mmap_zero (53.1 confidence) suggests  **************************
:If you do not think /home/ken/chrome-linux/nacl_helper_bootstrap should need to mmap low memory in the kernel.
:Then you may be under attack by a hacker, this is a very dangerous access.
:contact your security administrator and report this issue.
:*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************
:If you want to mmap_low_allowed
:Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.You can read 'unconfined_selinux' man page for more details.
:setsebool -P mmap_low_allowed 1
:*****  Plugin catchall (5.76 confidence) suggests  ***************************
:If you believe that nacl_helper_bootstrap should be allowed mmap_zero access on the  memprotect by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep nacl_helper_boo /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
:                              023
:Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
:                              023
:Target Objects                 [ memprotect ]
:Source                        nacl_helper_boo
:Source Path                   /home/ken/chrome-linux/nacl_helper_bootstrap
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-21.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.0-0.rc2.git2.1.fc18.x86_64 #1
:                              SMP Wed Aug 22 11:54:04 UTC 2012 x86_64 x86_64
:Alert Count                   6
:First Seen                    2012-09-22 11:00:53 EDT
:Last Seen                     2012-09-22 11:00:53 EDT
:Local ID                      d7b3791e-1102-47ab-b5f1-4636d8c4ad94
:Raw Audit Messages
:type=AVC msg=audit(1348326053.985:328): avc:  denied  { mmap_zero } for  pid=2367 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect
:type=SYSCALL msg=audit(1348326053.985:328): arch=x86_64 syscall=mmap success=no exit=EACCES a0=f000 a1=1000 a2=0 a3=4032 items=0 ppid=2351 pid=2367 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm=nacl_helper_boo exe=/home/ken/chrome-linux/nacl_helper_bootstrap subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
:Hash: nacl_helper_boo,unconfined_t,unconfined_t,memprotect,mmap_zero
:#============= unconfined_t ==============
:#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
:allow unconfined_t self:memprotect mmap_zero;
:audit2allow -R
:#============= unconfined_t ==============
:#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
:allow unconfined_t self:memprotect mmap_zero;

Comment 1 Kenneth J. Jaeger 2012-09-22 15:04:03 UTC
Created attachment 615838 [details]
File: type

Comment 2 Kenneth J. Jaeger 2012-09-22 15:04:04 UTC
Created attachment 615839 [details]
File: hashmarkername

Comment 3 Miroslav Grepl 2012-09-24 11:15:50 UTC
Basically the aler tells you what is wrong and what you could do. Did everything work?

Comment 4 Miroslav Grepl 2012-10-29 18:55:02 UTC
*** Bug 870670 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2012-12-10 09:23:31 UTC
*** Bug 885290 has been marked as a duplicate of this bug. ***

Comment 6 Valent Turkovic 2012-12-17 08:09:04 UTC
So is this a bug in Chromium?

What are the consequence of allowing or blocking this behaviour?

Comment 7 Daniel Walsh 2012-12-17 19:54:08 UTC
Yes chromium should not be requiring this access.  This access is very dangerous, because it exposes the user to a potently exploitable kernel bug.

Comment 8 ZiN 2013-02-20 13:46:47 UTC
Then why is this report marked as a NOTABUG?

Comment 9 Mikhail 2013-02-20 13:57:23 UTC
Same with Opera https://bugzilla.redhat.com/show_bug.cgi?id=909554

Comment 10 Daniel Walsh 2013-02-22 13:17:34 UTC
You have a boolean you can turn on.  I would report this bug to Google.

Comment 11 Mikhail 2013-06-06 21:25:21 UTC
Why you think that this is bug of Google Chrome???
I see this alert only when open very much tabs ~100!!!
Seems PAE kernel have problem when application try allocate very many memory. Kernel begins  allocate low address and it is trigger this alert. 

Can you check this???

Comment 12 Mikhail 2013-06-06 21:26:03 UTC
Please reopen this bug.

Comment 13 Eric Paris 2013-06-11 13:26:23 UTC
This is a google chrome bug.  No question.  It has nothing at all to do with the kernel in question.  I am 100% confident in this statement.  chrome is calling

mmap(0xf000, 0x1000, 0, MAP_NORESERVE | MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, ...)

The mmap_min_addr is 0xffff.  Chrome is requesting a fixed page below the allowed page range.  aka, chrome bug.

Comment 14 Mikhail 2013-06-12 19:01:54 UTC
Are you post this bug to Google Chrome bug tracker? https://code.google.com/p/chromium/issues/list

Comment 15 Daniel Walsh 2014-01-03 19:57:34 UTC
*** Bug 1046863 has been marked as a duplicate of this bug. ***

Comment 16 Miroslav Grepl 2015-08-31 12:15:53 UTC
*** Bug 1258210 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.