[Bug 43192] New: Wine Staging 2.10 run afoul of SELinux

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 43192] New: Wine Staging 2.10 run afoul of SELinux

Wine - Bugs mailing list
https://bugs.winehq.org/show_bug.cgi?id=43192

            Bug ID: 43192
           Summary: Wine Staging 2.10 run afoul of SELinux
           Product: Wine-staging
           Version: 2.10
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: major
          Priority: P2
         Component: -unknown
          Assignee: [hidden email]
          Reporter: [hidden email]
                CC: [hidden email], [hidden email],
                    [hidden email]
      Distribution: ---

Wine Staging 2.10 is annoying SELinux:

SELinux is preventing /usr/local/bin/wine-preloader from mmap_zero access on
the memprotect Unknown.

*****  Plugin mmap_zero (53.1 confidence) suggests   *************************

If you do not think /usr/local/bin/wine-preloader should need to mmap low
memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow mmap to low allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed'
boolean.
You can read 'None' man page for more details.
Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that wine-preloader should be allowed mmap_zero access on the
Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader
# semodule -i my-winepreloader.pp

Additional Information:
Source Context              
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context              
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ memprotect ]
Source                        wine-preloader
Source Path                   /usr/local/bin/wine-preloader
Port                          <Unknown>
Host                          rn4.rent-a-nerd.local
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rn4.rent-a-nerd.local
Platform                      Linux rn4.rent-a-nerd.local
                              3.10.0-514.6.1.el7.x86_64 #1 SMP Tue Jan 17
                              11:12:41 CST 2017 x86_64 x86_64
Alert Count                   35
First Seen                    2017-03-01 19:29:13 PST
Last Seen                     2017-06-16 19:34:44 PDT
Local ID                      ea843281-ca8b-4658-bdfb-4d6bcdadbb9c

Raw Audit Messages
type=AVC msg=audit(1497666884.922:1427): avc:  denied  { mmap_zero } for
pid=29453 comm="wine-preloader"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect


Hash: wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero

--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.


Reply | Threaded
Open this post in threaded view
|

[Bug 43192] Wine 2.10 run afoul of SELinux

Wine - Bugs mailing list
https://bugs.winehq.org/show_bug.cgi?id=43192

Michael Müller <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|major                       |normal
            Product|Wine-staging                |Wine
            Summary|Wine Staging 2.10 run afoul |Wine 2.10 run afoul of
                   |of SELinux                  |SELinux
          Component|-unknown                    |-unknown

--- Comment #1 from Michael Müller <[hidden email]> ---
This behavior is expected. Wine needs to allocate the first megabyte in the
address space to run DOS software in the vm8086 mode. If you do not need to use
any DOS  software, you can deny access to the low memory area and the rest of
Wine will still work.

This feature is not limited to Wine Staging, so moving to Wine product.

--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

Reply | Threaded
Open this post in threaded view
|

[Bug 43192] Wine 2.10 run afoul of SELinux

Wine - Bugs mailing list
In reply to this post by Wine - Bugs mailing list
https://bugs.winehq.org/show_bug.cgi?id=43192

--- Comment #2 from Todd Chester <[hidden email]> ---
(In reply to Michael Müller from comment #1)
> This behavior is expected. Wine needs to allocate the first megabyte in the
> address space to run DOS software in the vm8086 mode. If you do not need to
> use any DOS  software, you can deny access to the low memory area and the
> rest of Wine will still work.
>
> This feature is not limited to Wine Staging, so moving to Wine product.


Q.  If this is expected, why did it start occurring in 2.10 and not in 2.9?

--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

Reply | Threaded
Open this post in threaded view
|

[Bug 43192] wine-preloader shows SELinux warning when kernel is compiled with CONFIG_DEFAULT_MMAP_MIN_ADDR < CONFIG_LSM_MMAP_MIN_ADDR

Wine - Bugs mailing list
In reply to this post by Wine - Bugs mailing list
https://bugs.winehq.org/show_bug.cgi?id=43192

Sebastian Lackner <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Wine 2.10 run afoul of      |wine-preloader shows
                   |SELinux                     |SELinux warning when kernel
                   |                            |is compiled with
                   |                            |CONFIG_DEFAULT_MMAP_MIN_ADD
                   |                            |R <
                   |                            |CONFIG_LSM_MMAP_MIN_ADDR
          Component|-unknown                    |-unknown
            Product|Wine                        |Wine-staging

--- Comment #3 from Sebastian Lackner <[hidden email]> ---
I have added a patch to workaround this warning, so it will disappear again
with the next release. Please note that the warning is harmless, and can be
safely ignored.

Even before 2.10, Wine already tried to allocate this memory region, which is
necessary for running DOS applications. A failure is not critical, except that
you will lack support for running such apps. The warning appeared because of a
change related to the preloader on macOS. We splitted the allocation of the DOS
area (0x0 - 0x10000) into two separate allocations.

Although both methods are technically identical, the SELinux code is written in
such a way that only the new method will trigger a warning. By looking at the
kernel code, it only seems to affects kernel versions compiled with
CONFIG_DEFAULT_MMAP_MIN_ADDR < CONFIG_LSM_MMAP_MIN_ADDR.

--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.


Reply | Threaded
Open this post in threaded view
|

[Bug 43192] wine-preloader shows SELinux warning when kernel is compiled with CONFIG_DEFAULT_MMAP_MIN_ADDR < CONFIG_LSM_MMAP_MIN_ADDR

Wine - Bugs mailing list
In reply to this post by Wine - Bugs mailing list
https://bugs.winehq.org/show_bug.cgi?id=43192

--- Comment #4 from Todd Chester <[hidden email]> ---
No symptom change on wine-patched-staging-2.10-3.tar.gz.  Still get thirteen SE
Linux security alerts every time I start a wine program

--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.


Reply | Threaded
Open this post in threaded view
|

[Bug 43192] wine-preloader shows SELinux warning when kernel is compiled with CONFIG_DEFAULT_MMAP_MIN_ADDR < CONFIG_LSM_MMAP_MIN_ADDR

Wine - Bugs mailing list
In reply to this post by Wine - Bugs mailing list
https://bugs.winehq.org/show_bug.cgi?id=43192

--- Comment #5 from Sebastian Lackner <[hidden email]> ---
(In reply to Todd Chester from comment #4)
> No symptom change on wine-patched-staging-2.10-3.tar.gz.  Still get thirteen
> SE Linux security alerts every time I start a wine program

The 2.10-3 update only contains fixes related to the macOS preloader. This
particular issue is harmless, and not even really a bug - as I stated above it
is intentional that Wine tries to use this area. You will have to wait for
2.11, which will be released in about a week.

--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.


Reply | Threaded
Open this post in threaded view
|

[Bug 43192] wine-preloader shows SELinux warning when kernel is compiled with CONFIG_DEFAULT_MMAP_MIN_ADDR < CONFIG_LSM_MMAP_MIN_ADDR

Wine - Bugs mailing list
In reply to this post by Wine - Bugs mailing list
https://bugs.winehq.org/show_bug.cgi?id=43192

Todd Chester <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #6 from Todd Chester <[hidden email]> ---
Verified corrected in wine-patched-staging-2.11.tar.gz

Awesome!  Thank you!

--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.