SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.
by Francis Shim
SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.
***** Plugin mmap_zero (53.1 confidence) suggests **************************
If you do not think /usr/bin/skype should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests *******************
If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
Do
setsebool -P mmap_low_allowed 1
***** Plugin catchall (5.76 confidence) suggests ***************************
If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep skype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
s0:c0.c1023
Target Objects Unknown [ memprotect ]
Source skype
Source Path /usr/bin/skype
Port <Unknown>
Host mobile-pc.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.7-40.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name mobile-pc.localdomain
Platform Linux mobile-pc.localdomain
2.6.35.13-91.fc14.i686.PAE #1 SMP Tue May 3
13:29:55 UTC 2011 i686 i686
Alert Count 100
First Seen Mon 16 May 2011 03:37:35 PM EDT
Last Seen Mon 16 May 2011 03:37:35 PM EDT
Local ID 162a1493-50dc-4231-ad0f-808d6fe5330b
Raw Audit Messages
type=AVC msg=audit(1305574655.789:127): avc: denied { mmap_zero } for pid=2784 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect
Hash: skype,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero
audit2allow
#============= unconfined_execmem_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_execmem_t self:memprotect mmap_zero;
audit2allow -R
#============= unconfined_execmem_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_execmem_t self:memprotect mmap_zero;
12 years, 11 months
Fedora 14 does not respect /etc/sysconfig/selinux?
by Eric Warnke
I have a number of testing systems installed with Fedora 14. They were
installed with the minimal profile, have no 3rd party repositories or
rpm's installed, are fully up-to-date, and were exhibiting some strange
behavior with the corosync/pacemaker packages.
The problems with corosync are a direct result of the system not
respecting the /etc/sysconfog/selinux directives. I have attached some
sessions below to show the errant behavior.
Boot 1:
[root@tiny ~]# uptime
08:30:43 up 0 min, 1 user, load average: 0.15, 0.06, 0.02
[root@tiny ~]# getenforce
Enforcing
[root@tiny ~]# more /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Boot 2:
[root@tiny ~]# uptime
08:33:01 up 0 min, 1 user, load average: 0.30, 0.06, 0.02
[root@tiny ~]# getenforce
Enforcing
[root@tiny ~]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
After a call to setenforce 0
[root@tiny ~]# getenforce
Permissive
As you can clearly see the SELINUX directive is being ignored during boot.
I have had to move startup of the affected packages to /etc/rc.local
after a call to setenforce 0.
Cheers,
Eric Warnke
Research IT Group
SUNY at Albany
12 years, 11 months
During startup, many failed to set security context msgs
by Clyde E. Kunkel
Permissive mode, Fedora rawhide up-to-date as of 20110503. Expected or a
bug?
[ 56.268826] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.283356] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.285470] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.287470] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.289540] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.295823] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.299256] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.301278] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.303297] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.305212] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.307129] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.308964] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.310833] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.312721] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.314588] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.316392] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.318191] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.320056] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.321812] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.323502] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.325167] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.326805] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.328488] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.330128] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.341490] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.343236] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[ 56.344736] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[ 56.346391] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[ 56.348053] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[ 56.349674] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
--
Regards,
OldFart
12 years, 12 months