fedora-selinux September 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: wine preloader? being denied by selinux

Re: wine preloader? being denied by selinux

From: Ryan Anthony <mica1884_at_nospam>
Date: Thu Sep 02 2010 - 00:02:59 GMT
To: Dominick Grift <domg472@gmail.com>

Yeah, I've actually noticed that same thing happening too, but the trouble
is that wine_mmap_zero_ignore is set to "on" already on my machine.

R.

On Wed, Sep 1, 2010 at 7:24 PM, Dominick Grift <domg472@gmail.com> wrote:

> On Wed, Sep 01, 2010 at 03:49:14PM -0700, Antonio Olivares wrote:
> > Dear selinux experts,
> >
> > I have a sealert for running a windows program under wine. There had
> been no problems on a Fedora 13 x86_64 machine till I installed this
> program. I have not done anything yet. The program runs, but I am hesitant
> to do anything; therefore I ask for your guidance as to what should I do?
> >
> > Here's the alert:
> >
> >
> > Summary:
> >
> > SELinux has prevented wine from performing an unsafe memory operation.
> >
> > Detailed Description:
> >
> > SELinux denied an operation requested by wine-preloader, a program used
> to run
> > Windows applications under Linux. This program is known to use an unsafe
> > operation on system memory but so are a number of malware/exploit
> programs which
> > masquerade as wine. If you were attempting to run a Windows program your
> only
> > choices are to allow this operation and reduce your system security
> against such
> > malware or to refrain from running Windows applications under Linux. If
> you were
> > not attempting to run a Windows application this indicates you are likely
> being
> > attacked by some for of malware or program trying to exploit your system
> for
> > nefarious purposes. Please refer to
> > http://wiki.winehq.org/PreloaderPageZeroProblem Which outlines the other
> > problems wine encounters due to its unsafe use of memory and solutions to
> those
> > problems.
> >
> > Allowing Access:
> >
> > If you decide to continue to run the program in question you will need to
> allow
> > this operation. This can be done on the command line by executing: #
> setsebool
> > -P mmap_low_allowed 1
> >
> > Fix Command:
> >
> > /usr/sbin/setsebool -P mmap_low_allowed 1
> >
> > Additional Information:
> >
> > Source Context
> unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> > Target Context
> unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> > Target Objects None [ memprotect ]
> > Source wine-preloader
> > Source Path /usr/bin/wine-preloader
> > Port <Unknown>
> > Host n6355-50168
> > Source RPM Packages wine-core-1.2.0-2.fc13
> > Target RPM Packages
> > Policy RPM selinux-policy-3.7.19-47.fc13
> > Selinux Enabled True
> > Policy Type targeted
> > Enforcing Mode Enforcing
> > Plugin Name wine
> > Host Name n6355-50168
> > Platform Linux n6355-50168 2.6.33.8-149.fc13.x86_64
> #1 SMP
> > Tue Aug 17 22:53:15 UTC 2010 x86_64 x86_64
> > Alert Count 10
> > First Seen Fri 27 Aug 2010 11:45:10 AM CDT
> > Last Seen Wed 01 Sep 2010 09:32:26 AM CDT
> > Local ID ab7d4dae-5686-4d47-ab3b-4ea134844ade
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=n6355-50168 type=AVC msg=audit(1283351546.640:36): avc: denied {
> mmap_zero } for pid=4115 comm="wine-preloader"
> scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect
> >
> > node=n6355-50168 type=SYSCALL msg=audit(1283351546.640:36): arch=40000003
> syscall=90 success=no exit=-13 a0=ffe4a850 a1=0 a2=ffe4a850 a3=5a items=0
> ppid=4088 pid=4115 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader"
> exe="/usr/bin/wine-preloader"
> subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)
> >
> >
> >
> > I run the windows program correctly and with no problems, just that when
> I start the program I see the sealert(warning). I don't really want to give
> this program what it is wanting for me to do, but I also don't want to see
> the warning everytime. How should I approach this matter?
>
> Good call. Wine does not always really need this permission. Only when one
> runs older windows applications is it that one may notice loss in
> functionality.
>
> There is a boolean that one can toggle to silently deny this access vector:
>
> setsebool -P wine_mmap_zero_ignore on
>
> Again, This will not allow wine to mmap low (which is a dangerous ability),
> but instead it will hide attempt by wine to do so.
>
>
>
> >
> > Thanks in Advance,
> >
> > Antonio
> >
> >
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux