wine preloader? being denied by selinux

Dominick Grift domg472 at gmail.com
Wed Sep 1 23:24:11 UTC 2010 

On Wed, Sep 01, 2010 at 03:49:14PM -0700, Antonio Olivares wrote:
> Dear selinux experts,
> 
> I have a sealert for running a windows program under wine.  There had been no problems on a Fedora 13 x86_64 machine till I installed this program.  I have not done anything yet.  The program runs, but I am hesitant to do anything; therefore I ask for your guidance as to what should I do?
> 
> Here's the alert:
> 
> 
> Summary:
> 
> SELinux has prevented wine from performing an unsafe memory operation.
> 
> Detailed Description:
> 
> SELinux denied an operation requested by wine-preloader, a program used to run
> Windows applications under Linux. This program is known to use an unsafe
> operation on system memory but so are a number of malware/exploit programs which
> masquerade as wine. If you were attempting to run a Windows program your only
> choices are to allow this operation and reduce your system security against such
> malware or to refrain from running Windows applications under Linux. If you were
> not attempting to run a Windows application this indicates you are likely being
> attacked by some for of malware or program trying to exploit your system for
> nefarious purposes. Please refer to
> http://wiki.winehq.org/PreloaderPageZeroProblem Which outlines the other
> problems wine encounters due to its unsafe use of memory and solutions to those
> problems.
> 
> Allowing Access:
> 
> If you decide to continue to run the program in question you will need to allow
> this operation. This can be done on the command line by executing: # setsebool
> -P mmap_low_allowed 1
> 
> Fix Command:
> 
> /usr/sbin/setsebool -P mmap_low_allowed 1
> 
> Additional Information:
> 
> Source Context                unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> Target Context                unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> Target Objects                None [ memprotect ]
> Source                        wine-preloader
> Source Path                   /usr/bin/wine-preloader
> Port                          <Unknown>
> Host                          n6355-50168
> Source RPM Packages           wine-core-1.2.0-2.fc13
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.7.19-47.fc13
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Plugin Name                   wine
> Host Name                     n6355-50168
> Platform                      Linux n6355-50168 2.6.33.8-149.fc13.x86_64 #1 SMP
>                               Tue Aug 17 22:53:15 UTC 2010 x86_64 x86_64
> Alert Count                   10
> First Seen                    Fri 27 Aug 2010 11:45:10 AM CDT
> Last Seen                     Wed 01 Sep 2010 09:32:26 AM CDT
> Local ID                      ab7d4dae-5686-4d47-ab3b-4ea134844ade
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=n6355-50168 type=AVC msg=audit(1283351546.640:36): avc:  denied  { mmap_zero } for  pid=4115 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect
> 
> node=n6355-50168 type=SYSCALL msg=audit(1283351546.640:36): arch=40000003 syscall=90 success=no exit=-13 a0=ffe4a850 a1=0 a2=ffe4a850 a3=5a items=0 ppid=4088 pid=4115 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)
> 
> 
> 
> I run the windows program correctly and with no problems, just that when I start the program I see the sealert(warning).  I don't really want to give this program what it is wanting for me to do, but I also don't want to see the warning everytime.  How should I approach this matter?

Good call. Wine does not always really need this permission. Only when one runs older windows applications is it that one may notice loss in functionality.

There is a boolean that one can toggle to silently deny this access vector:

setsebool -P wine_mmap_zero_ignore on

Again, This will not allow wine to mmap low (which is a dangerous ability), but instead it will hide attempt by wine to do so.



> 
> Thanks in Advance,
> 
> Antonio 
> 
> 
>       
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100902/a190b166/attachment.bin

More information about the selinux mailing list