Announcement

Collapse
No announcement yet.

SELinux warning

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SELinux warning

    When I run BC3 (3.3.8 build 16360) on Fedora19 with Cinnamon, this is what I get (also the extension on Nemo does not work).


    SELinux is preventing /usr/lib/beyondcompare/BCompare from mmap_zero access on the memprotect .

    ***** Plugin mmap_zero (53.1 confidence) suggests **************************

    If you do not think /usr/lib/beyondcompare/BCompare should need to mmap low memory in the kernel.
    Then you may be under attack by a hacker, this is a very dangerous access.
    Do
    contact your security administrator and report this issue.

    ***** Plugin catchall_boolean (42.6 confidence) suggests *******************

    If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
    Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
    You can read 'unconfined_selinux' man page for more details.
    Do
    setsebool -P mmap_low_allowed 1

    ***** Plugin catchall (5.76 confidence) suggests ***************************

    If you believe that BCompare should be allowed mmap_zero access on the memprotect by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # grep BCompare /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp

    Additional Information:
    Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
    023
    Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
    023
    Target Objects [ memprotect ]
    Source BCompare
    Source Path /usr/lib/beyondcompare/BCompare
    Port <Unknown>
    Host localhost.localdomain
    Source RPM Packages bcompare-3.3.8-16340.i386
    Target RPM Packages
    Policy RPM selinux-policy-3.12.1-73.fc19.noarch
    Selinux Enabled True
    Policy Type targeted
    Enforcing Mode Enforcing
    Host Name localhost.localdomain
    Platform Linux localhost.localdomain 3.10.9-200.fc19.x86_64
    #1 SMP Wed Aug 21 19:27:58 UTC 2013 x86_64 x86_64
    Alert Count 2
    First Seen 2013-09-04 13:00:29 MDT
    Last Seen 2013-09-04 13:19:42 MDT
    Local ID 30550716-593d-4a35-af25-a62d783c27d6

    Raw Audit Messages
    type=AVC msg=audit(1378322382.485:2700): avc: denied { mmap_zero } for pid=28739 comm="BCompare" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect


    type=SYSCALL msg=audit(1378322382.485:2700): arch=i386 syscall=lgetxattr per=400000 success=no exit=EACCES a0=0 a1=ffff a2=0 a3=32 items=0 ppid=28728 pid=28739 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=204 tty=(none) comm=BCompare exe=/usr/lib/beyondcompare/BCompare subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

    Hash: BCompare,unconfined_t,unconfined_t,memprotect,mmap _zero

  • #2
    This seems to be a bug as it may be dangerous to run beyond compare under conditions not allowed by SELINUX.

    I suggest that the scootersoftware developers at least give some feedback to the community in order to avoid customer frustration.

    I am waiting for scootersoftware feedback.

    Comment


    • #3
      Hello,

      On my test Fedora 19 default system without Cinnamon, and SELinux enabled by default, I do not see any error messages during install or running the application.

      Once I install Cinnamon, the installation works, and if running as root I see a quick SELinux warning, and then the application works as expected. When running as a normal user, I do not see any errors.

      Was there any additional setup or customization that you've performed that I should replicate to try and see the SELinux errors?

      And to verify, we did have this issue in an earlier version of BC3, but BC 3.3.8 should handle SELinux. If you redownload and install using the 3.3.8 .rpm, does this help?
      Aaron P Scooter Software

      Comment


      • #4
        Reproducing on fc20 with 3.3.8

        Hi,

        I'm having the same problem on Fedora 20 amd64 with Xfce.The SELinux alert pops up every time bcompare process is spawned, immediately after that.

        I have installed the OS on a new machine (new job) about two weeks ago and then BC within few days. I'm also quite sure this has been happening since the very first run of BC, since that was my first encounter with SELinux.

        Originally posted by Aaron View Post
        Once I install Cinnamon, the installation works, and if running as root I see a quick SELinux warning, and then the application works as expected. When running as a normal user, I do not see any errors.
        In my case I'm running as normal user but it might be worth mentioning I am member of wheel group.

        And well, it's i386 on x86_64...

        Originally posted by Aaron View Post
        Was there any additional setup or customization that you've performed that I should replicate to try and see the SELinux errors?

        And to verify, we did have this issue in an earlier version of BC3, but BC 3.3.8 should handle SELinux. If you redownload and install using the 3.3.8 .rpm, does this help?
        As above, and I still have the RPM from which I installed and it's MD5-same as the one in download links.

        Some more details follow, strace is attached:

        Code:
        $ rpm -q 
        bcompare-3.3.8-16340.i386
        $ uname -a
        Linux mybox 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
        $ id -a
        uid=12345(me) gid=12345(me) groups=12345(me),10(wheel),986(wireshark) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
        Hope this helps.
        aL.

        Comment


        • #5
          Thanks for the report and details. I've attempted to reproduce this with Fedora 20 now, and I am seeing the security prompt sometimes. I'll open a tracker entry to investigate.
          Aaron P Scooter Software

          Comment


          • #6
            We've reproduced this and I think we've figured it out. If SElinux 32bit is not on your machine, we can hit this. Use:
            yum package libselinux.so.1
            to find out which package needed, then install the i686 or i386 version of that package. This should place a libselinux.so.1 into your /usr/lib directory (where, likely, there is one in your lib64 directory). Once the 32bit version is in place, BC3 should then be able to avoid this behavior.

            We'll look into getting the 32bit libselinux.so.1 as part of our normal install process, too.
            Aaron P Scooter Software

            Comment


            • #7
              Hi Aaron, I have followed your advice and indeed it worked. It's been some time now that I don't get the prompts.

              Thanks!

              Comment

              Working...
              X