SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.
by Francis Shim
SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.
***** Plugin mmap_zero (53.1 confidence) suggests **************************
If you do not think /usr/bin/skype should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests *******************
If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
Do
setsebool -P mmap_low_allowed 1
***** Plugin catchall (5.76 confidence) suggests ***************************
If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep skype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
s0:c0.c1023
Target Objects Unknown [ memprotect ]
Source skype
Source Path /usr/bin/skype
Port <Unknown>
Host mobile-pc.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.7-40.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name mobile-pc.localdomain
Platform Linux mobile-pc.localdomain
2.6.35.13-91.fc14.i686.PAE #1 SMP Tue May 3
13:29:55 UTC 2011 i686 i686
Alert Count 100
First Seen Mon 16 May 2011 03:37:35 PM EDT
Last Seen Mon 16 May 2011 03:37:35 PM EDT
Local ID 162a1493-50dc-4231-ad0f-808d6fe5330b
Raw Audit Messages
type=AVC msg=audit(1305574655.789:127): avc: denied { mmap_zero } for pid=2784 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect
Hash: skype,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero
audit2allow
#============= unconfined_execmem_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_execmem_t self:memprotect mmap_zero;
audit2allow -R
#============= unconfined_execmem_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_execmem_t self:memprotect mmap_zero;
13 years, 1 month
Fedora 14 does not respect /etc/sysconfig/selinux?
by Eric Warnke
I have a number of testing systems installed with Fedora 14. They were
installed with the minimal profile, have no 3rd party repositories or
rpm's installed, are fully up-to-date, and were exhibiting some strange
behavior with the corosync/pacemaker packages.
The problems with corosync are a direct result of the system not
respecting the /etc/sysconfog/selinux directives. I have attached some
sessions below to show the errant behavior.
Boot 1:
[root@tiny ~]# uptime
08:30:43 up 0 min, 1 user, load average: 0.15, 0.06, 0.02
[root@tiny ~]# getenforce
Enforcing
[root@tiny ~]# more /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Boot 2:
[root@tiny ~]# uptime
08:33:01 up 0 min, 1 user, load average: 0.30, 0.06, 0.02
[root@tiny ~]# getenforce
Enforcing
[root@tiny ~]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
After a call to setenforce 0
[root@tiny ~]# getenforce
Permissive
As you can clearly see the SELINUX directive is being ignored during boot.
I have had to move startup of the affected packages to /etc/rc.local
after a call to setenforce 0.
Cheers,
Eric Warnke
Research IT Group
SUNY at Albany
13 years, 1 month
During startup, many failed to set security context msgs
by Clyde E. Kunkel
Permissive mode, Fedora rawhide up-to-date as of 20110503. Expected or a
bug?
[ 56.268826] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.283356] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.285470] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.287470] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.289540] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.295823] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.299256] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.301278] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.303297] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.305212] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.307129] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.308964] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.310833] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.312721] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.314588] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.316392] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.318191] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.320056] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.321812] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.323502] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.325167] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.326805] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.328488] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.330128] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_t:s0 for /var: Permission denied
[ 56.341490] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:var_run_t:s0 for /run: Permission denied
[ 56.343236] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[ 56.344736] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[ 56.346391] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[ 56.348053] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[ 56.349674] systemd-tmpfiles[1308]: Failed to set security context
system_u:object_r:tmp_t:s0 for /tmp: Permission denied
--
Regards,
OldFart
13 years, 1 month