Yeah, I've actually noticed that same thing happening too, but the trouble is that wine_mmap_zero_ignore is set to "on" already on my machine. <br><br>R.<br><br><div class="gmail_quote">On Wed, Sep 1, 2010 at 7:24 PM, Dominick Grift <span dir="ltr"><<a href="mailto:domg472@gmail.com">domg472@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div></div><div class="h5">On Wed, Sep 01, 2010 at 03:49:14PM -0700, Antonio Olivares wrote:<br>
> Dear selinux experts,<br>
><br>
> I have a sealert for running a windows program under wine. There had been no problems on a Fedora 13 x86_64 machine till I installed this program. I have not done anything yet. The program runs, but I am hesitant to do anything; therefore I ask for your guidance as to what should I do?<br>
><br>
> Here's the alert:<br>
><br>
><br>
> Summary:<br>
><br>
> SELinux has prevented wine from performing an unsafe memory operation.<br>
><br>
> Detailed Description:<br>
><br>
> SELinux denied an operation requested by wine-preloader, a program used to run<br>
> Windows applications under Linux. This program is known to use an unsafe<br>
> operation on system memory but so are a number of malware/exploit programs which<br>
> masquerade as wine. If you were attempting to run a Windows program your only<br>
> choices are to allow this operation and reduce your system security against such<br>
> malware or to refrain from running Windows applications under Linux. If you were<br>
> not attempting to run a Windows application this indicates you are likely being<br>
> attacked by some for of malware or program trying to exploit your system for<br>
> nefarious purposes. Please refer to<br>
> <a href="http://wiki.winehq.org/PreloaderPageZeroProblem" target="_blank">http://wiki.winehq.org/PreloaderPageZeroProblem</a> Which outlines the other<br>
> problems wine encounters due to its unsafe use of memory and solutions to those<br>
> problems.<br>
><br>
> Allowing Access:<br>
><br>
> If you decide to continue to run the program in question you will need to allow<br>
> this operation. This can be done on the command line by executing: # setsebool<br>
> -P mmap_low_allowed 1<br>
><br>
> Fix Command:<br>
><br>
> /usr/sbin/setsebool -P mmap_low_allowed 1<br>
><br>
> Additional Information:<br>
><br>
> Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023<br>
> Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023<br>
> Target Objects None [ memprotect ]<br>
> Source wine-preloader<br>
> Source Path /usr/bin/wine-preloader<br>
> Port <Unknown><br>
> Host n6355-50168<br>
> Source RPM Packages wine-core-1.2.0-2.fc13<br>
> Target RPM Packages<br>
> Policy RPM selinux-policy-3.7.19-47.fc13<br>
> Selinux Enabled True<br>
> Policy Type targeted<br>
> Enforcing Mode Enforcing<br>
> Plugin Name wine<br>
> Host Name n6355-50168<br>
> Platform Linux n6355-50168 2.6.33.8-149.fc13.x86_64 #1 SMP<br>
> Tue Aug 17 22:53:15 UTC 2010 x86_64 x86_64<br>
> Alert Count 10<br>
> First Seen Fri 27 Aug 2010 11:45:10 AM CDT<br>
> Last Seen Wed 01 Sep 2010 09:32:26 AM CDT<br>
> Local ID ab7d4dae-5686-4d47-ab3b-4ea134844ade<br>
> Line Numbers<br>
><br>
> Raw Audit Messages<br>
><br>
> node=n6355-50168 type=AVC msg=audit(1283351546.640:36): avc: denied { mmap_zero } for pid=4115 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect<br>
><br>
> node=n6355-50168 type=SYSCALL msg=audit(1283351546.640:36): arch=40000003 syscall=90 success=no exit=-13 a0=ffe4a850 a1=0 a2=ffe4a850 a3=5a items=0 ppid=4088 pid=4115 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)<br>
><br>
><br>
><br>
> I run the windows program correctly and with no problems, just that when I start the program I see the sealert(warning). I don't really want to give this program what it is wanting for me to do, but I also don't want to see the warning everytime. How should I approach this matter?<br>
<br>
</div></div>Good call. Wine does not always really need this permission. Only when one runs older windows applications is it that one may notice loss in functionality.<br>
<br>
There is a boolean that one can toggle to silently deny this access vector:<br>
<br>
setsebool -P wine_mmap_zero_ignore on<br>
<br>
Again, This will not allow wine to mmap low (which is a dangerous ability), but instead it will hide attempt by wine to do so.<br>
<div><div></div><div class="h5"><br>
<br>
<br>
><br>
> Thanks in Advance,<br>
><br>
> Antonio<br>
><br>
><br>
><br>
> --<br>
> selinux mailing list<br>
> <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
</div></div><br>--<br>
selinux mailing list<br>
<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br></blockquote></div><br>