SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.

Francis Shim belfrancis2001 at yahoo.ca
Wed May 18 02:15:22 UTC 2011 

On Tue, 2011-05-17 at 09:19 +0200, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 05/16/2011 10:23 PM, Francis Shim wrote:
> > SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.
> > 
> > *****  Plugin mmap_zero (53.1 confidence) suggests  **************************
> > 
> > If you do not think /usr/bin/skype should need to mmap low memory in the kernel.
> > Then you may be under attack by a hacker, this is a very dangerous access.
> > Do
> > contact your security administrator and report this issue.
> > 
> > *****  Plugin catchall_boolean (42.6 confidence) suggests  *******************
> > 
> > If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
> > Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
> > Do
> > setsebool -P mmap_low_allowed 1
> > 
> > *****  Plugin catchall (5.76 confidence) suggests  ***************************
> > 
> > If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # grep skype /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> > 
> > Additional Information:
> > Source Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
> >                               s0:c0.c1023
> > Target Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
> >                               s0:c0.c1023
> > Target Objects                Unknown [ memprotect ]
> > Source                        skype
> > Source Path                   /usr/bin/skype
> > Port                          <Unknown>
> > Host                          mobile-pc.localdomain
> > Source RPM Packages           
> > Target RPM Packages           
> > Policy RPM                    selinux-policy-3.9.7-40.fc14
> > Selinux Enabled               True
> > Policy Type                   targeted
> > Enforcing Mode                Enforcing
> > Host Name                     mobile-pc.localdomain
> > Platform                      Linux mobile-pc.localdomain
> >                               2.6.35.13-91.fc14.i686.PAE #1 SMP Tue May 3
> >                               13:29:55 UTC 2011 i686 i686
> > Alert Count                   100
> > First Seen                    Mon 16 May 2011 03:37:35 PM EDT
> > Last Seen                     Mon 16 May 2011 03:37:35 PM EDT
> > Local ID                      162a1493-50dc-4231-ad0f-808d6fe5330b
> > 
> > Raw Audit Messages
> > type=AVC msg=audit(1305574655.789:127): avc:  denied  { mmap_zero } for  pid=2784 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect
> > 
> > 
> > Hash: skype,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero
> > 
> > audit2allow
> > 
> > #============= unconfined_execmem_t ==============
> > #!!!! This avc is allowed in the current policy
> > 
> > allow unconfined_execmem_t self:memprotect mmap_zero;
> > 
> > audit2allow -R
> > 
> > #============= unconfined_execmem_t ==============
> > #!!!! This avc is allowed in the current policy
> > 
> > allow unconfined_execmem_t self:memprotect mmap_zero;
> > 
> > 
> > 
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> > 
> 
> The alert tells you what you can do to allow it.  The access is
> dangerous, if it is really needed.  Did skype actually work?  Did you
> report this bug to Skype?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk3SIXUACgkQrlYvE4MpobOl9QCgu3TffLIP+JSKE7ehvAdOKayr
> hcEAnRLW3Q9AjiwqGDxNwDhhwhTjRxhE
> =52Nf
> -----END PGP SIGNATURE-----

I am trying to report to Skype; however, I really wanted to get some
credibility feedback from the SELinux forum before i do, because I was
really puzzled as to whether the following is happening:

Skype is really trying to access "low memory" (ie: < 1 MB) or is it DMA
memory areas?  In either case, it just kind of freaked me out when I saw
it.

I am gambling that it is for DMA purposes so I allowed the access and
Skype works fine now; however, you can bet that I will be forwarding my
concerns to Skype.  I hope I am not the only one who run into this
because it might mean that I really might have a virus.

Peace,
Frank

More information about the selinux mailing list