https://bugs.winehq.org/show_bug.cgi?id=43192
Bug ID: 43192 Summary: Wine Staging 2.10 run afoul of SELinux Product: Wine-staging Version: 2.10 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: ToddAndMargo@zoho.com CC: erich.e.hoover@wine-staging.com, michael@fds-team.de, sebastian@fds-team.de Distribution: ---
Wine Staging 2.10 is annoying SELinux:
SELinux is preventing /usr/local/bin/wine-preloader from mmap_zero access on the memprotect Unknown.
***** Plugin mmap_zero (53.1 confidence) suggests *************************
If you do not think /usr/local/bin/wine-preloader should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests ******************
If you want to allow mmap to low allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. You can read 'None' man page for more details. Do setsebool -P mmap_low_allowed 1
***** Plugin catchall (5.76 confidence) suggests **************************
If you believe that wine-preloader should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader # semodule -i my-winepreloader.pp
Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects Unknown [ memprotect ] Source wine-preloader Source Path /usr/local/bin/wine-preloader Port <Unknown> Host rn4.rent-a-nerd.local Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rn4.rent-a-nerd.local Platform Linux rn4.rent-a-nerd.local 3.10.0-514.6.1.el7.x86_64 #1 SMP Tue Jan 17 11:12:41 CST 2017 x86_64 x86_64 Alert Count 35 First Seen 2017-03-01 19:29:13 PST Last Seen 2017-06-16 19:34:44 PDT Local ID ea843281-ca8b-4658-bdfb-4d6bcdadbb9c
Raw Audit Messages type=AVC msg=audit(1497666884.922:1427): avc: denied { mmap_zero } for pid=29453 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect
Hash: wine-preloader,unconfined_t,unconfined_t,memprotect,mmap_zero
https://bugs.winehq.org/show_bug.cgi?id=43192
Michael Müller michael@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|major |normal Product|Wine-staging |Wine Summary|Wine Staging 2.10 run afoul |Wine 2.10 run afoul of |of SELinux |SELinux Component|-unknown |-unknown
--- Comment #1 from Michael Müller michael@fds-team.de --- This behavior is expected. Wine needs to allocate the first megabyte in the address space to run DOS software in the vm8086 mode. If you do not need to use any DOS software, you can deny access to the low memory area and the rest of Wine will still work.
This feature is not limited to Wine Staging, so moving to Wine product.
https://bugs.winehq.org/show_bug.cgi?id=43192
--- Comment #2 from Todd Chester ToddAndMargo@zoho.com --- (In reply to Michael Müller from comment #1)
This behavior is expected. Wine needs to allocate the first megabyte in the address space to run DOS software in the vm8086 mode. If you do not need to use any DOS software, you can deny access to the low memory area and the rest of Wine will still work.
This feature is not limited to Wine Staging, so moving to Wine product.
Q. If this is expected, why did it start occurring in 2.10 and not in 2.9?
https://bugs.winehq.org/show_bug.cgi?id=43192
Sebastian Lackner sebastian@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Wine 2.10 run afoul of |wine-preloader shows |SELinux |SELinux warning when kernel | |is compiled with | |CONFIG_DEFAULT_MMAP_MIN_ADD | |R < | |CONFIG_LSM_MMAP_MIN_ADDR Component|-unknown |-unknown Product|Wine |Wine-staging
--- Comment #3 from Sebastian Lackner sebastian@fds-team.de --- I have added a patch to workaround this warning, so it will disappear again with the next release. Please note that the warning is harmless, and can be safely ignored.
Even before 2.10, Wine already tried to allocate this memory region, which is necessary for running DOS applications. A failure is not critical, except that you will lack support for running such apps. The warning appeared because of a change related to the preloader on macOS. We splitted the allocation of the DOS area (0x0 - 0x10000) into two separate allocations.
Although both methods are technically identical, the SELinux code is written in such a way that only the new method will trigger a warning. By looking at the kernel code, it only seems to affects kernel versions compiled with CONFIG_DEFAULT_MMAP_MIN_ADDR < CONFIG_LSM_MMAP_MIN_ADDR.
https://bugs.winehq.org/show_bug.cgi?id=43192
--- Comment #4 from Todd Chester ToddAndMargo@zoho.com --- No symptom change on wine-patched-staging-2.10-3.tar.gz. Still get thirteen SE Linux security alerts every time I start a wine program
https://bugs.winehq.org/show_bug.cgi?id=43192
--- Comment #5 from Sebastian Lackner sebastian@fds-team.de --- (In reply to Todd Chester from comment #4)
No symptom change on wine-patched-staging-2.10-3.tar.gz. Still get thirteen SE Linux security alerts every time I start a wine program
The 2.10-3 update only contains fixes related to the macOS preloader. This particular issue is harmless, and not even really a bug - as I stated above it is intentional that Wine tries to use this area. You will have to wait for 2.11, which will be released in about a week.
https://bugs.winehq.org/show_bug.cgi?id=43192
Todd Chester ToddAndMargo@zoho.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #6 from Todd Chester ToddAndMargo@zoho.com --- Verified corrected in wine-patched-staging-2.11.tar.gz
Awesome! Thank you!
https://bugs.winehq.org/show_bug.cgi?id=43192
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #7 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Closing Fixed Staging 3.14
-
wine-bugs@winehq.org