SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.
Daniel J Walsh
dwalsh at redhat.com
Tue May 17 07:19:17 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/16/2011 10:23 PM, Francis Shim wrote:
> SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.
>
> ***** Plugin mmap_zero (53.1 confidence) suggests **************************
>
> If you do not think /usr/bin/skype should need to mmap low memory in the kernel.
> Then you may be under attack by a hacker, this is a very dangerous access.
> Do
> contact your security administrator and report this issue.
>
> ***** Plugin catchall_boolean (42.6 confidence) suggests *******************
>
> If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
> Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
> Do
> setsebool -P mmap_low_allowed 1
>
> ***** Plugin catchall (5.76 confidence) suggests ***************************
>
> If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep skype /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
> s0:c0.c1023
> Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
> s0:c0.c1023
> Target Objects Unknown [ memprotect ]
> Source skype
> Source Path /usr/bin/skype
> Port <Unknown>
> Host mobile-pc.localdomain
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.9.7-40.fc14
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name mobile-pc.localdomain
> Platform Linux mobile-pc.localdomain
> 2.6.35.13-91.fc14.i686.PAE #1 SMP Tue May 3
> 13:29:55 UTC 2011 i686 i686
> Alert Count 100
> First Seen Mon 16 May 2011 03:37:35 PM EDT
> Last Seen Mon 16 May 2011 03:37:35 PM EDT
> Local ID 162a1493-50dc-4231-ad0f-808d6fe5330b
>
> Raw Audit Messages
> type=AVC msg=audit(1305574655.789:127): avc: denied { mmap_zero } for pid=2784 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect
>
>
> Hash: skype,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero
>
> audit2allow
>
> #============= unconfined_execmem_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow unconfined_execmem_t self:memprotect mmap_zero;
>
> audit2allow -R
>
> #============= unconfined_execmem_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow unconfined_execmem_t self:memprotect mmap_zero;
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
The alert tells you what you can do to allow it. The access is
dangerous, if it is really needed. Did skype actually work? Did you
report this bug to Skype?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk3SIXUACgkQrlYvE4MpobOl9QCgu3TffLIP+JSKE7ehvAdOKayr
hcEAnRLW3Q9AjiwqGDxNwDhhwhTjRxhE
=52Nf
-----END PGP SIGNATURE-----
More information about the selinux
mailing list