<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
On 09/02/2010 02:02 AM, Ryan Anthony wrote:
<blockquote
cite="mid:AANLkTimzKhqqem-Zv4dqbpwL4D_b9G7rPECg4ZCupme0@mail.gmail.com"
type="cite">Yeah, I've actually noticed that same thing happening too,
but the trouble is that wine_mmap_zero_ignore is set to "on" already on
my machine. <br>
<br>
R.<br>
<br>
</blockquote>
Ryan.<br>
could you add outputs of following commands<br>
<br>
# ausearch -m avc -su wine_t -o wine_t<br>
<br>
# sesearch --dontaudit -s wine_t -t wine_t -c memprotect -p mmap_zero<br>
<br>
# getsebool wine_mmap_zero_ignore<br>
<br>
<br>
<blockquote
cite="mid:AANLkTimzKhqqem-Zv4dqbpwL4D_b9G7rPECg4ZCupme0@mail.gmail.com"
type="cite">
<div class="gmail_quote">On Wed, Sep 1, 2010 at 7:24 PM, Dominick
Grift <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:domg472@gmail.com">domg472@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div class="h5">On Wed, Sep 01, 2010 at 03:49:14PM -0700, Antonio
Olivares wrote:<br>
> Dear selinux experts,<br>
><br>
> I have a sealert for running a windows program under wine. There
had been no problems on a Fedora 13 x86_64 machine till I installed
this program. I have not done anything yet. The program runs, but I
am hesitant to do anything; therefore I ask for your guidance as to
what should I do?<br>
><br>
> Here's the alert:<br>
><br>
><br>
> Summary:<br>
><br>
> SELinux has prevented wine from performing an unsafe memory
operation.<br>
><br>
> Detailed Description:<br>
><br>
> SELinux denied an operation requested by wine-preloader, a program
used to run<br>
> Windows applications under Linux. This program is known to use an
unsafe<br>
> operation on system memory but so are a number of malware/exploit
programs which<br>
> masquerade as wine. If you were attempting to run a Windows
program your only<br>
> choices are to allow this operation and reduce your system
security against such<br>
> malware or to refrain from running Windows applications under
Linux. If you were<br>
> not attempting to run a Windows application this indicates you are
likely being<br>
> attacked by some for of malware or program trying to exploit your
system for<br>
> nefarious purposes. Please refer to<br>
> <a moz-do-not-send="true"
href="http://wiki.winehq.org/PreloaderPageZeroProblem" target="_blank">http://wiki.winehq.org/PreloaderPageZeroProblem</a>
Which outlines the other<br>
> problems wine encounters due to its unsafe use of memory and
solutions to those<br>
> problems.<br>
><br>
> Allowing Access:<br>
><br>
> If you decide to continue to run the program in question you will
need to allow<br>
> this operation. This can be done on the command line by executing:
# setsebool<br>
> -P mmap_low_allowed 1<br>
><br>
> Fix Command:<br>
><br>
> /usr/sbin/setsebool -P mmap_low_allowed 1<br>
><br>
> Additional Information:<br>
><br>
> Source Context
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023<br>
> Target Context
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023<br>
> Target Objects None [ memprotect ]<br>
> Source wine-preloader<br>
> Source Path /usr/bin/wine-preloader<br>
> Port <Unknown><br>
> Host n6355-50168<br>
> Source RPM Packages wine-core-1.2.0-2.fc13<br>
> Target RPM Packages<br>
> Policy RPM selinux-policy-3.7.19-47.fc13<br>
> Selinux Enabled True<br>
> Policy Type targeted<br>
> Enforcing Mode Enforcing<br>
> Plugin Name wine<br>
> Host Name n6355-50168<br>
> Platform Linux n6355-50168
2.6.33.8-149.fc13.x86_64 #1 SMP<br>
> Tue Aug 17 22:53:15 UTC 2010 x86_64
x86_64<br>
> Alert Count 10<br>
> First Seen Fri 27 Aug 2010 11:45:10 AM CDT<br>
> Last Seen Wed 01 Sep 2010 09:32:26 AM CDT<br>
> Local ID ab7d4dae-5686-4d47-ab3b-4ea134844ade<br>
> Line Numbers<br>
><br>
> Raw Audit Messages<br>
><br>
> node=n6355-50168 type=AVC msg=audit(1283351546.640:36): avc:
denied { mmap_zero } for pid=4115 comm="wine-preloader"
scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
tclass=memprotect<br>
><br>
> node=n6355-50168 type=SYSCALL msg=audit(1283351546.640:36):
arch=40000003 syscall=90 success=no exit=-13 a0=ffe4a850 a1=0
a2=ffe4a850 a3=5a items=0 ppid=4088 pid=4115 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader"
subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)<br>
><br>
><br>
><br>
> I run the windows program correctly and with no problems, just
that when I start the program I see the sealert(warning). I don't
really want to give this program what it is wanting for me to do, but I
also don't want to see the warning everytime. How should I approach
this matter?<br>
<br>
</div>
</div>
Good call. Wine does not always really need this permission. Only when
one runs older windows applications is it that one may notice loss in
functionality.<br>
<br>
There is a boolean that one can toggle to silently deny this access
vector:<br>
<br>
setsebool -P wine_mmap_zero_ignore on<br>
<br>
Again, This will not allow wine to mmap low (which is a dangerous
ability), but instead it will hide attempt by wine to do so.<br>
<div>
<div class="h5"><br>
<br>
<br>
><br>
> Thanks in Advance,<br>
><br>
> Antonio<br>
><br>
><br>
><br>
> --<br>
> selinux mailing list<br>
> <a moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/selinux"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
</div>
</div>
<br>
--<br>
selinux mailing list<br>
<a moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/selinux"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
</blockquote>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>