Wine . AVC Denial

Paul516 · #1 20th March 2012, 05:18 PM

In SELinux I have AVC denial every time I try to start Wine . I installed Wine from Fedora16 software installer . I am trying to load a workshop manual and I need the index . Whatever icon I use for Wine I get the SELinux error , So I cannot use the help from there . I have tried the answers given on the other post on this problem with no success . Any thoughts ?

pete_1967 · #2 20th March 2012, 07:06 PM

Post the denial message.

Paul516 · #3 20th March 2012, 07:31 PM

SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect .

***** Plugin wine (34.9 confidence) suggests *******************************

If you want to ignore this AVC because it is dangerous and your wine applications are working correctly.
Then you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean.
Do
# setsebool -P wine_mmap_zero_ignore 1

***** Plugin mmap_zero (34.9 confidence) suggests **************************

If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

***** Plugin catchall_boolean (28.0 confidence) suggests *******************

If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Then you must tell SELinux about this by enabling the 'mmap_low_allowed'boolean.
Do
setsebool -P mmap_low_allowed 1

***** Plugin catchall (3.94 confidence) suggests ***************************

If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Objects [ memprotect ]
Source wine-preloader
Source Path /usr/bin/wine-preloader
Port <Unknown>
Host localhost.localdomain
Source RPM Packages wine-core-1.4-1.fc16.i686
Target RPM Packages
Policy RPM selinux-policy-3.10.0-75.fc16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.2.10-3.fc16.i686 #1
SMP Thu Mar 15 21:16:58 UTC 2012 i686 i686
Alert Count 103
First Seen Tue 20 Mar 2012 11:20:05 AM GMT
Last Seen Tue 20 Mar 2012 06:26:29 PM GMT
Local ID 5eda6e7f-283a-4337-843c-bd886a3cef2b

Raw Audit Messages
type=AVC msg=audit(1332267989.949:82): avc: denied { mmap_zero } for pid=1832 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect

type=SYSCALL msg=audit(1332267989.949:82): arch=i386 syscall=mmap success=no exit=EACCES a0=bfafc3a8 a1=0 a2=bfafc3a8 a3=0 items=0 ppid=1 pid=1832 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)

Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero

audit2allow

#============= wine_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow wine_t self:memprotect mmap_zero;

audit2allow -R

#============= wine_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow wine_t self:memprotect mmap_zero;

these are the details from the SELinux Alert browser .

pete_1967 · #4 21st March 2012, 12:44 AM

And the answer and solution to your problem is right there in plain English, as always. Just read the message properly.

Paul516 · #5 21st March 2012, 01:29 AM

All commands in the error report return a 'KDE Man report , Error

pete_1967 · #6 21st March 2012, 10:57 AM

Copy and paste the results from your terminal then. From the line where you start to the last line so we can have a look.

Paul516 · #7 21st March 2012, 12:02 PM

Maybe thats the problem , I have never used the terminal before .

pete_1967 · #8 21st March 2012, 02:44 PM

Code:

su -
[enter your root password]
setsebool -P mmap_low_allowed 1

to start with.

Any errors, use mouse to highlight everything from "su -" onwards, right click and select copy. Then paste here using code tags.

And for the future reference: provide as much information as possible right from the start (including your competence level) so those who may be able to help don't have feel like they're pulling teeth out of your mouth.

Paul516 · #9 21st March 2012, 03:19 PM

[root@localhost ~]# -[000000]
bash: -[000000]: command not found
[root@localhost ~]# setsebool -P mmap_low_allowed 1-000000
setsebool: illegal value 1-000000 for boolean mmap_low_allowed
[root@localhost ~]# setsebool -P mmap_low_allowed 1

This off Konsol . I have been using Fedora for two years but not tried to do anything other than using the OS.

pete_1967 · #10 22nd March 2012, 12:40 AM

Quote:

Originally Posted by Paul516

[root@localhost ~]# -[000000]
bash: -[000000]: command not found
[root@localhost ~]# setsebool -P mmap_low_allowed 1-000000
setsebool: illegal value 1-000000 for boolean mmap_low_allowed
[root@localhost ~]# setsebool -P mmap_low_allowed 1

This off Konsol . I have been using Fedora for two years but not tried to do anything other than using the OS.

That's not what I asked you to do, however, your 2nd attempt didn't produce any errors therefore it should have worked. Start Wine and see if you still get the denials.