Additional info: libreport version: 2.0.17 kernel: 3.6.3-1.fc17.x86_64 description: :SELinux is preventing wine-preloader from 'mmap_zero' accesses on the memprotect . : :***** Plugin mmap_zero (53.1 confidence) suggests ************************** : :If you do not think wine-preloader should need to mmap low memory in the kernel. :Then you may be under attack by a hacker, this is a very dangerous access. :Do :contact your security administrator and report this issue. : :***** Plugin catchall_boolean (42.6 confidence) suggests ******************* : :If you want to mmap_low_allowed :Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.You can read 'wine_selinux' man page for more details. :Do :setsebool -P mmap_low_allowed 1 : :***** Plugin catchall (5.76 confidence) suggests *************************** : :If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 :Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 :Target Objects [ memprotect ] :Source wine-preloader :Source Path wine-preloader :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM selinux-policy-3.10.0-156.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.6.3-1.fc17.x86_64 #1 SMP Mon Oct : 22 15:32:35 UTC 2012 x86_64 x86_64 :Alert Count 10 :First Seen 2012-10-31 23:57:22 EDT :Last Seen 2012-11-03 19:11:32 EDT :Local ID db2e9e79-fa93-4c62-9137-23ecee246e3c : :Raw Audit Messages :type=AVC msg=audit(1351984292.65:225): avc: denied { mmap_zero } for pid=16861 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect : : :Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero : :audit2allow : :#============= wine_t ============== :#!!!! This avc can be allowed using the boolean 'mmap_low_allowed' : :allow wine_t self:memprotect mmap_zero; : :audit2allow -R : :#============= wine_t ============== :#!!!! This avc can be allowed using the boolean 'mmap_low_allowed' : :allow wine_t self:memprotect mmap_zero; :
Created attachment 637816 [details] File: type
Created attachment 637817 [details] File: hashmarkername
This is pretty dangerous access. If the wirne does not work without this you will need to do what sealert suggests to you. # setsebool -P mmap_low_allowed 1
Why can't the settings that this makes: # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Be in the default settings? If wine will not function without it - a warning during installation that it will require this is fine. Simply seeing your app dying and having to search in selinux alerts to find out why is a pretty rubbish user experience.
Perhaps there are two proper resolutions here: a) Reassign the bug to the wine project in Fedora - either way somebody here should fix this. b) Change the default config. Either way - simply closing this and leaving the overall experience broken seems like the wrong attitude.
Because we do not want to allow any application including those that run with unconfined_t to mmap_zero, since bugs in the kernel have allowed root escallations caused by this access. Since most people do not use wine, we think it is a secure by default setting.
Can this be resolved with the Wine package maintainer- if it should be fixed there? They are both in the fedora distro - which if broken by default, should have one of these things excluded from it. Because of the time wasted on this (and the other apps) I've currently disabled selinux. I'm yet to be convinced I need it.
Can the component here be set to wine? Perhaps assigning it there may reach an actual solution.
I agree with Daniel Walsh. The default is fine from my pov as well. A lot of applications run fine with selinux + wine without having mmap_zero access. If you want to run an application which needs mmap_zero access you are free to enable it as suggested above.
So am I understanding that only specific wine apps will need this - or would the majority need this? I was attempting to install and run Evernote. This works perfectly with Selinux disabled.
How does it work with SELinux enabled/enforcing and the boolean set?
It does work once you find that selinux was the problem, and once you've found what changes you need to make for it to do so. It is a bit of a time sink for anyone encountering it a lot though - so for now it is most productive for me to leave it disabled.
My system is in Enforcing mode. $ getsebool -a | grep wine wine_mmap_zero_ignore --> off I can run Evernote 4.6.2.7927 fine.
It is the installer that seemed to fail here - possibly because it has been built using far older windows tools than Evernote itself.
(In reply to comment #14) > It is the installer that seemed to fail here - possibly because it has been > built using far older windows tools than Evernote itself. My comment is in regards to both the installer and the client program. I encountered no errors or crashes in executing either one. I suspect you have something else wrong with your system that is causing the issue. I would suggest that you start with a clean wine prefix.
Hmm - this is a recent FC17 - with few other changes. wine was installed fresh from yum with the express reason of running evernote in it. The profile is recent too - the old one mounted elsewhere, although I've used winetricks to install fonts and dependancies for Evernote. Potentially this is because the system is x86_64. I can always set up an x64 FC17 vm, try install wine/evernote from scratch and see if the same problems occur. Note - other than generating this - the other symptom for me was it locked up at the sign in/create account phase of the setup and reproducibly did so. Doing the same with selinux disabled it worked.