On Tue, 2011-05-17 at 09:19 +0200, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/16/2011 10:23 PM, Francis Shim wrote:
> > SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.
> >
> > ***** Plugin mmap_zero (53.1 confidence) suggests **************************
> >
> > If you do not think /usr/bin/skype should need to mmap low memory in the kernel.
> > Then you may be under attack by a hacker, this is a very dangerous access.
> > Do
> > contact your security administrator and report this issue.
> >
> > ***** Plugin catchall_boolean (42.6 confidence) suggests *******************
> >
> > If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
> > Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
> > Do
> > setsebool -P mmap_low_allowed 1
> >
> > ***** Plugin catchall (5.76 confidence) suggests ***************************
> >
> > If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # grep skype /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> >
> > Additional Information:
> > Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
> > s0:c0.c1023
> > Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
> > s0:c0.c1023
> > Target Objects Unknown [ memprotect ]
> > Source skype
> > Source Path /usr/bin/skype
> > Port <Unknown>
> > Host mobile-pc.localdomain
> > Source RPM Packages
> > Target RPM Packages
> > Policy RPM selinux-policy-3.9.7-40.fc14
> > Selinux Enabled True
> > Policy Type targeted
> > Enforcing Mode Enforcing
> > Host Name mobile-pc.localdomain
> > Platform Linux mobile-pc.localdomain
> > 2.6.35.13-91.fc14.i686.PAE #1 SMP Tue May 3
> > 13:29:55 UTC 2011 i686 i686
> > Alert Count 100
> > First Seen Mon 16 May 2011 03:37:35 PM EDT
> > Last Seen Mon 16 May 2011 03:37:35 PM EDT
> > Local ID 162a1493-50dc-4231-ad0f-808d6fe5330b
> >
> > Raw Audit Messages
> > type=AVC msg=audit(1305574655.789:127): avc: denied { mmap_zero } for pid=2784 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect
> >
> >
> > Hash: skype,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero
> >
> > audit2allow
> >
> > #============= unconfined_execmem_t ==============
> > #!!!! This avc is allowed in the current policy
> >
> > allow unconfined_execmem_t self:memprotect mmap_zero;
> >
> > audit2allow -R
> >
> > #============= unconfined_execmem_t ==============
> > #!!!! This avc is allowed in the current policy
> >
> > allow unconfined_execmem_t self:memprotect mmap_zero;
> >
> >
> >
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
>
> The alert tells you what you can do to allow it. The access is
> dangerous, if it is really needed. Did skype actually work? Did you
> report this bug to Skype?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk3SIXUACgkQrlYvE4MpobOl9QCgu3TffLIP+JSKE7ehvAdOKayr
> hcEAnRLW3Q9AjiwqGDxNwDhhwhTjRxhE
> =52Nf
> -----END PGP SIGNATURE-----
I am trying to report to Skype; however, I really wanted to get some
credibility feedback from the SELinux forum before i do, because I was
really puzzled as to whether the following is happening:
Skype is really trying to access "low memory" (ie: < 1 MB) or is it DMA
memory areas? In either case, it just kind of freaked me out when I saw
it.
I am gambling that it is for DMA purposes so I allowed the access and
Skype works fine now; however, you can bet that I will be forwarding my
concerns to Skype. I hope I am not the only one who run into this
because it might mean that I really might have a virus.
Peace,
Frank
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
