[fedora-india] Fwd: SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.

Lakshmipathi.G lakshmipathi.g at gmail.com
Tue Aug 9 12:26:11 UTC 2011 

Hi -
If you don't have confidential data on your machine, I would suggest you to
turn of SELinux using "setenforce 0" (it needs root access)
and then verify it using "getenforce" .  Or disable it completely by
modifying the file /etc/selinux/config. This is very much easier way.

If you want to use SELinux with Skype,then do -
1.add  a selinux policy module  using  audit2allow command - "cat
/var/log/audit/audit.log  | audit2allow > skype.pp"

2.Make sure selinux-policy-devel package is installed and now compile the
module.
#make -f /usr/share/selinux/devel/Makefile skype.pp

3)load the module "semodule -i skype.pp "

4)verify it  - semodule -l | grep skype


Sometime back while working on OSS project, I found out SELinux documents
are extremely rare to find.
Few of them are -
Dan Walsh's blog -  http://danwalsh.livejournal.com/
and Dominick's http://selinux-mac.blogspot.com/

HTH

On Tue, Aug 9, 2011 at 5:23 PM, anjaz ahmed <anjazahmed at gmail.com> wrote:

> Dear friends,
>
> Recently upgraded to Fedora 15, the skype application gets crashed
> frequently.....The error details are as mentioned below. Would be great if
> someone get it fixed.
>
> Thanks
>
> =====================================================================
>
> SELinux is preventing /usr/bin/skype from mmap_zero access on the
> memprotect Unknown.
>
> ***** Plugin mmap_zero (53.1 confidence) suggests
> **************************
>
> If you do not think /usr/bin/skype should need to mmap low memory in the
> kernel.
> Then you may be under attack by a hacker, this is a very dangerous access.
> Do
> contact your security administrator and report this issue.
>
> ***** Plugin catchall_boolean (42.6 confidence) suggests
> *******************
>
> If you want to control the ability to mmap a low area of the address space,
> as configured by /proc/sys/kernel/mmap_min_addr.
> Then you must tell SELinux about this by enabling the 'mmap_low_allowed'
> boolean.
> Do
> setsebool -P mmap_low_allowed 1
>
> ***** Plugin catchall (5.76 confidence) suggests
> ***************************
>
> If you believe that skype should be allowed mmap_zero access on the Unknown
> memprotect by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep threaded-ml /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
> s0:c0.c1023
> Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
> s0:c0.c1023
> Target Objects Unknown [ memprotect ]
> Source threaded-ml
> Source Path /usr/bin/skype
> Port <Unknown>
> Host anjaz.intelvision.sc
> Source RPM Packages skype-2.2.0.35-fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.9.16-35.fc15
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name anjaz.intelvision.sc
> Platform Linux anjaz.intelvision.sc 2.6.38.8-35.fc15.x86_64
> #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64
> Alert Count 125
> First Seen Tue 09 Aug 2011 03:49:24 PM SCT
> Last Seen Tue 09 Aug 2011 03:49:27 PM SCT
> Local ID 943f7e9f-e074-437d-9ad1-cf76ac9f7615
>
> Raw Audit Messages
> type=AVC msg=audit(1312890567.697:245): avc: denied { mmap_zero } for
> pid=4405 comm="skype"
> scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
> tclass=memprotect
>
>
> type=SYSCALL msg=audit(1312890567.697:245): arch=i386 syscall=lgetxattr
> per=400000 success=no exit=EACCES a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1769
> pid=4405 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 tty=(none) ses=1 comm=skype exe=/usr/bin/skype
> subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
> key=(null)
>
> Hash:
> threaded-ml,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero
>
> audit2allow
>
> #============= unconfined_execmem_t ==============
> #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
>
> allow unconfined_execmem_t self:memprotect mmap_zero;
>
> audit2allow -R
>
> #============= unconfined_execmem_t ==============
> #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
>
> allow unconfined_execmem_t self:memprotect mmap_zero;
>
>
>
> _______________________________________________
> india mailing list
> india at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/india
>



-- 
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/india/attachments/20110809/ac27a15b/attachment.html

More information about the india mailing list