wine preloader? being denied by selinux
Miroslav Grepl
mgrepl at redhat.com
Thu Sep 2 06:48:50 UTC 2010
On 09/02/2010 02:02 AM, Ryan Anthony wrote:
> Yeah, I've actually noticed that same thing happening too, but the
> trouble is that wine_mmap_zero_ignore is set to "on" already on my
> machine.
>
> R.
>
Ryan.
could you add outputs of following commands
# ausearch -m avc -su wine_t -o wine_t
# sesearch --dontaudit -s wine_t -t wine_t -c memprotect -p mmap_zero
# getsebool wine_mmap_zero_ignore
> On Wed, Sep 1, 2010 at 7:24 PM, Dominick Grift <domg472 at gmail.com
> <mailto:domg472 at gmail.com>> wrote:
>
> On Wed, Sep 01, 2010 at 03:49:14PM -0700, Antonio Olivares wrote:
> > Dear selinux experts,
> >
> > I have a sealert for running a windows program under wine.
> There had been no problems on a Fedora 13 x86_64 machine till I
> installed this program. I have not done anything yet. The
> program runs, but I am hesitant to do anything; therefore I ask
> for your guidance as to what should I do?
> >
> > Here's the alert:
> >
> >
> > Summary:
> >
> > SELinux has prevented wine from performing an unsafe memory
> operation.
> >
> > Detailed Description:
> >
> > SELinux denied an operation requested by wine-preloader, a
> program used to run
> > Windows applications under Linux. This program is known to use
> an unsafe
> > operation on system memory but so are a number of
> malware/exploit programs which
> > masquerade as wine. If you were attempting to run a Windows
> program your only
> > choices are to allow this operation and reduce your system
> security against such
> > malware or to refrain from running Windows applications under
> Linux. If you were
> > not attempting to run a Windows application this indicates you
> are likely being
> > attacked by some for of malware or program trying to exploit
> your system for
> > nefarious purposes. Please refer to
> > http://wiki.winehq.org/PreloaderPageZeroProblem Which outlines
> the other
> > problems wine encounters due to its unsafe use of memory and
> solutions to those
> > problems.
> >
> > Allowing Access:
> >
> > If you decide to continue to run the program in question you
> will need to allow
> > this operation. This can be done on the command line by
> executing: # setsebool
> > -P mmap_low_allowed 1
> >
> > Fix Command:
> >
> > /usr/sbin/setsebool -P mmap_low_allowed 1
> >
> > Additional Information:
> >
> > Source Context
> unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> > Target Context
> unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> > Target Objects None [ memprotect ]
> > Source wine-preloader
> > Source Path /usr/bin/wine-preloader
> > Port <Unknown>
> > Host n6355-50168
> > Source RPM Packages wine-core-1.2.0-2.fc13
> > Target RPM Packages
> > Policy RPM selinux-policy-3.7.19-47.fc13
> > Selinux Enabled True
> > Policy Type targeted
> > Enforcing Mode Enforcing
> > Plugin Name wine
> > Host Name n6355-50168
> > Platform Linux n6355-50168
> 2.6.33.8-149.fc13.x86_64 #1 SMP
> > Tue Aug 17 22:53:15 UTC 2010
> x86_64 x86_64
> > Alert Count 10
> > First Seen Fri 27 Aug 2010 11:45:10 AM CDT
> > Last Seen Wed 01 Sep 2010 09:32:26 AM CDT
> > Local ID ab7d4dae-5686-4d47-ab3b-4ea134844ade
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=n6355-50168 type=AVC msg=audit(1283351546.640:36): avc:
> denied { mmap_zero } for pid=4115 comm="wine-preloader"
> scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> tclass=memprotect
> >
> > node=n6355-50168 type=SYSCALL msg=audit(1283351546.640:36):
> arch=40000003 syscall=90 success=no exit=-13 a0=ffe4a850 a1=0
> a2=ffe4a850 a3=5a items=0 ppid=4088 pid=4115 auid=500 uid=500
> gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
> tty=(none) ses=1 comm="wine-preloader"
> exe="/usr/bin/wine-preloader"
> subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)
> >
> >
> >
> > I run the windows program correctly and with no problems, just
> that when I start the program I see the sealert(warning). I don't
> really want to give this program what it is wanting for me to do,
> but I also don't want to see the warning everytime. How should I
> approach this matter?
>
> Good call. Wine does not always really need this permission. Only
> when one runs older windows applications is it that one may notice
> loss in functionality.
>
> There is a boolean that one can toggle to silently deny this
> access vector:
>
> setsebool -P wine_mmap_zero_ignore on
>
> Again, This will not allow wine to mmap low (which is a dangerous
> ability), but instead it will hide attempt by wine to do so.
>
>
>
> >
> > Thanks in Advance,
> >
> > Antonio
> >
> >
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> <mailto:selinux at lists.fedoraproject.org>
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> <mailto:selinux at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20100902/500f2044/attachment.html
More information about the selinux
mailing list