Bug 870652 - SELinux is preventing wine-preloader from 'mmap_zero' accesses on the memprotect .
Summary: SELinux is preventing wine-preloader from 'mmap_zero' accesses on the memprot...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:48a71271bd5f001944198d98238...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-27 16:21 UTC by Mikhail
Modified: 2024-01-17 05:10 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-10-29 19:27:45 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-27 16:21 UTC, Mikhail 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-27 16:21 UTC, Mikhail 		no flags Details
View All

Description Mikhail 2012-10-27 16:21:38 UTC 
Additional info:
libreport version: 2.0.17
kernel:         3.6.3-3.fc18.i686.PAE

description:
:SELinux is preventing wine-preloader from 'mmap_zero' accesses on the memprotect .
:
:*****  Plugin mmap_zero (53.1 confidence) suggests  **************************
:
:If you do not think wine-preloader should need to mmap low memory in the kernel.
:Then you may be under attack by a hacker, this is a very dangerous access.
:Do
:contact your security administrator and report this issue.
:
:*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************
:
:If you want to mmap_low_allowed
:Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.You can read 'wine_selinux' man page for more details.
:Do
:setsebool -P mmap_low_allowed 1
:
:*****  Plugin catchall (5.76 confidence) suggests  ***************************
:
:If you believe that wine-preloader should be allowed mmap_zero access on the  memprotect by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
:Target Context                unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
:Target Objects                 [ memprotect ]
:Source                        wine-preloader
:Source Path                   wine-preloader
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-43.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.3-3.fc18.i686.PAE #1 SMP Tue
:                              Oct 23 15:03:41 UTC 2012 i686 i686
:Alert Count                   31
:First Seen                    2012-10-24 09:24:05 YEKT
:Last Seen                     2012-10-25 18:48:52 YEKT
:Local ID                      35d54838-a13e-4a30-8f38-dc4272f0797c
:
:Raw Audit Messages
:type=AVC msg=audit(1351169332.49:360): avc:  denied  { mmap_zero } for  pid=5068 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect
:
:
:Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero
:
:audit2allow
:
:#============= wine_t ==============
:#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
:
:allow wine_t self:memprotect mmap_zero;
:
:audit2allow -R
:
:#============= wine_t ==============
:#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
:
:allow wine_t self:memprotect mmap_zero;
:
Comment 1 Mikhail 2012-10-27 16:21:41 UTC 
Created attachment 634277 [details]
File: type
Comment 2 Mikhail 2012-10-27 16:21:44 UTC 
Created attachment 634278 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-10-29 19:27:45 UTC 
If it works you can ignore it. If not you will need to turn on 'mmap_low_allowed' boolean.
Comment 4 Mikhail 2012-11-11 04:58:19 UTC 
Why can't alter Wine for not to use low memory?
Comment 5 Daniel Walsh 2012-11-12 21:34:59 UTC 
You can open a bugzilla with them.
Comment 6 Mustafa Muhammad 2013-01-11 15:31:51 UTC 
What is the problem in using low memory?
Comment 7 Mustafa Muhammad 2013-01-11 15:38:41 UTC 
I think wine NEEDS low memory for some apps:
http://www.winehq.org/docs/winedev-guide/x2800
Comment 8 Daniel Walsh 2013-01-15 02:32:48 UTC 
Read

http://eparis.livejournal.com/

You can turn on the boolean if you want to run these apps, but you will be eliminating the protection.
Comment 9 Mustafa Muhammad 2013-01-15 08:54:02 UTC 
(In reply to comment #8)
> Read
> 
> http://eparis.livejournal.com/
> 
> You can turn on the boolean if you want to run these apps, but you will be
> eliminating the protection.

Thank you, but I think there should be more obvious option, maybe ask the user if he wants to disable the protection because wine needs it disabled, I will ask wine devs for this.
Regards
Comment 10 Javier Jardón 2013-04-16 08:37:07 UTC 
(In reply to comment #3)
> If it works you can ignore it. If not you will need to turn on
> 'mmap_low_allowed' boolean.

Hi Miroslav,

Whats the point of having the alert if the solution is to ignore it?
I mean, Id like to know if this a bug in selinux or wine, and fix it in the apropiate component

Regards
Comment 11 Daniel Walsh 2013-04-16 21:39:55 UTC 
Well it is not always something we want to ignore.  We know about wines problem with it, so it is expected.  Other apps that trigger this need to be fixed.  Wine should be fixed but certain ancient DOS Emultation apps need this access, or they will not run.
Comment 12 morgan read 2013-06-06 14:51:36 UTC 
Is there anyway to set trouble shoot to ignore for wine only?
Comment 13 Daniel Walsh 2013-06-06 17:18:53 UTC 
Isn't there a button in sealert browser that tells it to ignore this AVC.
Note You need to log in before you can comment on or make changes to this bug.