FedoraForum.org - Fedora Support Forums and Community
Results 1 to 9 of 9
  1. #1
    Join Date
    May 2011
    Posts
    23

    Foxit Reader and SELinux

    Hello
    I installed Wine in order to install the windows Foxit Reader and during installation I got this message for SELinux


    Code:
    SELinux is preventing /usr/bin/wine-preloader from mmap_zero access on the memprotect Unknown.
    
    *****  Plugin mmap_zero (34.9 confidence) suggests  **************************
    
    If you do not think /usr/bin/wine-preloader should need to mmap low memory in the kernel.
    Then you may be under attack by a hacker, this is a very dangerous access.
    Do
    contact your security administrator and report this issue.
    
    *****  Plugin wine (34.9 confidence) suggests  *******************************
    
    If you want to ignore this AVC because it is dangerous and your wine applications are working correctly.
    Then you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean.
    Do
    # setsebool -P wine_mmap_zero_ignore 1
    
    *****  Plugin catchall_boolean (28.0 confidence) suggests  *******************
    
    If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
    Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
    Do
    setsebool -P mmap_low_allowed 1
    
    *****  Plugin catchall (3.94 confidence) suggests  ***************************
    
    If you believe that wine-preloader should be allowed mmap_zero access on the Unknown memprotect by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp
    
    Additional Information:
    Source Context                unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
    Target Context                unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
    Target Objects                Unknown [ memprotect ]
    Source                        wine-preloader
    Source Path                   /usr/bin/wine-preloader
    Port                          <Unknown>
    Host                          localhost.localdomain
    Source RPM Packages           wine-core-1.3.23-1.fc15
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.9.16-32.fc15
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     localhost.localdomain
    Platform                      Linux localhost.localdomain
                                  2.6.38.8-35.fc15.i686.PAE #1 SMP Wed Jul 6
                                  14:29:06 UTC 2011 i686 i686
    Alert Count                   26
    First Seen                    Thu 14 Jul 2011 10:19:06 AM BST
    Last Seen                     Thu 14 Jul 2011 10:20:42 AM BST
    Local ID                      6cd2e329-9f73-456f-a286-55eb928260ca
    
    Raw Audit Messages
    type=AVC msg=audit(1310635242.551:105): avc:  denied  { mmap_zero } for  pid=2997 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect
    
    
    type=SYSCALL msg=audit(1310635242.551:105): arch=i386 syscall=mmap success=no exit=EACCES a0=bf91ae78 a1=0 a2=bf91ae78 a3=0 items=0 ppid=2982 pid=2997 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=wine-preloader exe=/usr/bin/wine-preloader subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)
    
    Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero
    
    audit2allow
    
    #============= wine_t ==============
    #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
    
    allow wine_t self:memprotect mmap_zero;
    
    audit2allow -R
    
    #============= wine_t ==============
    #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
    
    allow wine_t self:memprotect mmap_zero;
    what do you suggest me to do in this situation? should I allow wine-preloader to access mmap low memory in kernel? conrtol the ability to mmap a low area of the address space? allow access by default? or ignore it?

  2. #2
    Join Date
    Aug 2005
    Location
    Ann Arbor
    Age
    50
    Posts
    3,952

    Re: Foxit Reader and SELinux

    foxit ? in wine ?
    you do know that fedora has evince installed by default
    or the better Okular in the repos

    and that there is a linux foxit
    a very old and very dead fedora 9 rpm
    http://www.foxitsoftware.com/pdf/des.../download.html
    OpenSUSE 13.2-64bit & Scientific Linux 6.6-64bit ( fedora 4 to 11) and 20 on KVM
    My Celestia Downloads

    h t t p ://celestiamotherlode.net/catalog/show_creator_details.php?creator_id=10

  3. #3
    Join Date
    Jul 2006
    Location
    Montana
    Posts
    732

    Re: Foxit Reader and SELinux

    That error message is telling you which two Booleans to set, did you try them ?
    If it is not broken, tweak it... If you break Fedora you get to keep both pieces :p

  4. #4
    Join Date
    Sep 2006
    Location
    Connellsville, PA, USA
    Posts
    11,307

    Re: Foxit Reader and SELinux

    I installed Wine in order to install the windows Foxit Reader
    Why? Foxit offers an RPM: http://www.foxitsoftware.com/downloads/ && see "Other Platform Reader" => "Foxit Reader 1.1 Build 20090810 for Desktop Linux(bz2)" => "More Download" && select the RPM.

    V

  5. #5
    Join Date
    May 2011
    Posts
    23

    Re: Foxit Reader and SELinux

    Quote Originally Posted by JohnVV
    foxit ? in wine ?
    you do know that fedora has evince installed by default
    or the better Okular in the repos

    and that there is a linux foxit
    a very old and very dead fedora 9 rpm
    http://www.foxitsoftware.com/pdf/des.../download.html
    the only reason for installing the windows FoxitReader is because I read a lot of ebooks and it allows me to highlight text. The linux version is very old as you said and evince, okular and adobe reader do not allow me to highlight text.

    ---------- Post added at 11:56 AM ---------- Previous post was at 11:55 AM ----------

    Quote Originally Posted by Hlingler
    Why? Foxit offers an RPM: http://www.foxitsoftware.com/downloads/ && see "Other Platform Reader" => "Foxit Reader 1.1 Build 20090810 for Desktop Linux(bz2)" => "More Download" && select the RPM.

    V
    thats a very old version and it doesn't allow me to highlight text in a pdf

  6. #6
    Join Date
    Nov 2007
    Posts
    80

    Re: Foxit Reader and SELinux

    It seems you don't have gotten an answer yet.

    You can just ignore the selinux messages.

  7. #7
    Join Date
    May 2011
    Posts
    23

    Re: Foxit Reader and SELinux

    Quote Originally Posted by bodhi.zazen
    That error message is telling you which two Booleans to set, did you try them ?
    no not yet, I wanted to make sure that this is not a threat to my system's security and since no one made a comment about that I guess there is no threat. I will try the 'default' option.

    ---------- Post added at 12:16 PM ---------- Previous post was at 12:09 PM ----------

    Quote Originally Posted by bsund
    It seems you don't have gotten an answer yet.

    You can just ignore the selinux messages.
    : ) yes indeed I wanted to know if it is a threat or not... if I ignore the SELinux message and don't allow foxit to have access to the memory, would I be able to work with foxit in its full capability?

  8. #8
    Join Date
    Nov 2007
    Posts
    80

    Re: Foxit Reader and SELinux

    Quote Originally Posted by aristotelix
    : ) yes indeed I wanted to know if it is a threat or not... if I ignore the SELinux message and don't allow foxit to have access to the memory, would I be able to work with foxit in its full capability?
    Ya, it should only be a problem with really old windows applications.

  9. #9
    Join Date
    May 2011
    Posts
    23

    Re: Foxit Reader and SELinux

    thanks everyone for sharing their views and comments

Similar Threads

  1. Fc-14 Adobe reader 9, problem SELinux
    By micheline in forum Using Fedora
    Replies: 1
    Last Post: 5th November 2010, 02:50 PM
  2. Foxit Reader 1.1 can not restore document state any more
    By lovenemesis in forum Using Fedora
    Replies: 3
    Last Post: 10th November 2009, 02:46 AM
  3. memorycard reader, fingerprint reader drivers?
    By Fittersman in forum Hardware & Laptops
    Replies: 1
    Last Post: 20th August 2007, 08:49 AM
  4. Adobe Reader 7.05 -- Selinux Problem
    By commander129 in forum Using Fedora
    Replies: 2
    Last Post: 3rd April 2006, 04:30 PM
  5. SELinux and Adobe Reader 7.0
    By Danny in forum Security and Privacy
    Replies: 12
    Last Post: 23rd June 2005, 10:32 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •