FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 12-28-2009, 10:21 PM
Kirk Lowery
 
Default vbetool denied

I'm running a newly installed, uptodate Fedora 12 box. Is there any reason by vbetools is denied? From dmesg:

type=1400 audit(1262025694.652:4): avc:* denied* { mmap_zero } for* pid=598 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 t

class=memprotect

Is this a problem with my local system, or a more general bug? And what is the best way to fix this?

TIA!

Kirk

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 09:53 AM
Dominick Grift
 
Default vbetool denied

On Mon, Dec 28, 2009 at 06:21:44PM -0500, Kirk Lowery wrote:
> I'm running a newly installed, uptodate Fedora 12 box. Is there any reason
> by vbetools is denied? From dmesg:
>
> type=1400 audit(1262025694.652:4): avc: denied { mmap_zero } for pid=598
> comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 t
> class=memprotect
>
> Is this a problem with my local system, or a more general bug? And what is
> the best way to fix this?

setsebool -P mmap_low_allowed on

That would (most likely) allow vbetool and any other program requiring it.

I just ignore that AVC denial on my system. I dont want it to have this access. It still seems to work fine though.

So, it is not really a bug (atleast the issue is know). But the permission that is required is disallowed by default. The command i pasted above would allow it.
>
> TIA!
>
> Kirk

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-30-2009, 01:25 PM
Daniel J Walsh
 
Default vbetool denied

On 12/28/2009 06:21 PM, Kirk Lowery wrote:
> I'm running a newly installed, uptodate Fedora 12 box. Is there any reason
> by vbetools is denied? From dmesg:
>
> type=1400 audit(1262025694.652:4): avc: denied { mmap_zero } for pid=598
> comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 t
> class=memprotect
>
> Is this a problem with my local system, or a more general bug? And what is
> the best way to fix this?
>
> TIA!
>
> Kirk
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is an open bug on vbetool to not require this access. Some systems need this access in order for suspend/resume to work properly.

mmap_zero, has proven to be a way for root privledge escallation when a bug is found in the kernel. Having this boolean off prevents unconfined users from gaining root access.

Turning this on removes this protection.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:49 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org