R.
On Wed, Sep 1, 2010 at 7:24 PM, Dominick Grift <domg472@xxxxxxxxx> wrote:
Good call. Wine does not always really need this permission. Only when one runs older windows applications is it that one may notice loss in functionality.On Wed, Sep 01, 2010 at 03:49:14PM -0700, Antonio Olivares wrote:
> Dear selinux experts,
>
> I have a sealert for running a windows program under wine. There had been no problems on a Fedora 13 x86_64 machine till I installed this program. I have not done anything yet. The program runs, but I am hesitant to do anything; therefore I ask for your guidance as to what should I do?
>
> Here's the alert:
>
>
> Summary:
>
> SELinux has prevented wine from performing an unsafe memory operation.
>
> Detailed Description:
>
> SELinux denied an operation requested by wine-preloader, a program used to run
> Windows applications under Linux. This program is known to use an unsafe
> operation on system memory but so are a number of malware/exploit programs which
> masquerade as wine. If you were attempting to run a Windows program your only
> choices are to allow this operation and reduce your system security against such
> malware or to refrain from running Windows applications under Linux. If you were
> not attempting to run a Windows application this indicates you are likely being
> attacked by some for of malware or program trying to exploit your system for
> nefarious purposes. Please refer to
> http://wiki.winehq.org/PreloaderPageZeroProblem Which outlines the other
> problems wine encounters due to its unsafe use of memory and solutions to those
> problems.
>
> Allowing Access:
>
> If you decide to continue to run the program in question you will need to allow
> this operation. This can be done on the command line by executing: # setsebool
> -P mmap_low_allowed 1
>
> Fix Command:
>
> /usr/sbin/setsebool -P mmap_low_allowed 1
>
> Additional Information:
>
> Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> Target Objects None [ memprotect ]
> Source wine-preloader
> Source Path /usr/bin/wine-preloader
> Port <Unknown>
> Host n6355-50168
> Source RPM Packages wine-core-1.2.0-2.fc13
> Target RPM Packages
> Policy RPM selinux-policy-3.7.19-47.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name wine
> Host Name n6355-50168
> Platform Linux n6355-50168 2.6.33.8-149.fc13.x86_64 #1 SMP
> Tue Aug 17 22:53:15 UTC 2010 x86_64 x86_64
> Alert Count 10
> First Seen Fri 27 Aug 2010 11:45:10 AM CDT
> Last Seen Wed 01 Sep 2010 09:32:26 AM CDT
> Local ID ab7d4dae-5686-4d47-ab3b-4ea134844ade
> Line Numbers
>
> Raw Audit Messages
>
> node=n6355-50168 type=AVC msg=audit(1283351546.640:36): avc: denied { mmap_zero } for pid=4115 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect
>
> node=n6355-50168 type=SYSCALL msg=audit(1283351546.640:36): arch=40000003 syscall=90 success=no exit=-13 a0=ffe4a850 a1=0 a2=ffe4a850 a3=5a items=0 ppid=4088 pid=4115 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)
>
>
>
> I run the windows program correctly and with no problems, just that when I start the program I see the sealert(warning). I don't really want to give this program what it is wanting for me to do, but I also don't want to see the warning everytime. How should I approach this matter?
There is a boolean that one can toggle to silently deny this access vector:
setsebool -P wine_mmap_zero_ignore on
Again, This will not allow wine to mmap low (which is a dangerous ability), but instead it will hide attempt by wine to do so.
>
> Thanks in Advance,
>
> Antonio
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
