PDA

View Full Version : SE Linux + Teamviewer and mmap_zero issues



DupermanDave
8th July 2012, 12:22 AM
I'm using teamviewer so I can remote in from my android. Long story short, Fedora keeps giving me this SELinux alert with the following details:


SELinux is preventing wine-preloader from mmap_zero access on the memprotect .

***** Plugin mmap_zero (53.1 confidence) suggests **************************

If you do not think wine-preloader should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

***** Plugin catchall_boolean (42.6 confidence) suggests *******************

If you want to mmap_low_allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.You can read 'wine_selinux' man page for more details.
Do
setsebool -P mmap_low_allowed 1

***** Plugin catchall (5.76 confidence) suggests ***************************

If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Objects [ memprotect ]
Source wine-preloader
Source Path wine-preloader
Port <Unknown>
Host TITAN
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.10.0-134.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name TITAN
Platform Linux TITAN 3.4.4-3.fc17.x86_64 #1 SMP Tue Jun 26
20:54:56 UTC 2012 x86_64 x86_64
Alert Count 5
First Seen Sat 07 Jul 2012 03:58:25 AM PDT
Last Seen Sat 07 Jul 2012 03:58:26 AM PDT
Local ID 3f2b24a7-4b8a-4763-a1d5-645e0276424c

Raw Audit Messages
type=AVC msg=audit(1341658706.930:46): avc: denied { mmap_zero } for pid=1105 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect


Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero

audit2allowunable to open /sys/fs/selinux/policy: Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied



I tried using "setsebool -P mmap_low_allowed 1" from the command line and nothing really happened. Processor use went way up but that's about it. So I tried "teamviewer setsebool -P mmap_low_allowed 1" as shown in the wine man page, but upong a restart I got the same error. Anything else I can try to get rid of this?

---------- Post added at 04:22 PM ---------- Previous post was at 11:06 AM ----------

Nevermind. I think I got it. I let it sit for a few hours and it finished doing whatever. I havent gotten the error yet.