pomoc so SElinuxom

Ahojte, keď spustím cez wine program pokerstars ta mi vypíše SElinux následovné:
SELinux is preventing wine-preloader from mmap_zero access on the memprotect .

***** Plugin mmap_zero (53.1 confidence) suggests **************************

If you do not think wine-preloader should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

***** Plugin catchall_boolean (42.6 confidence) suggests *******************

If you want to mmap_low_allowed
Then you must tell SELinux about this by enabling the ‘mmap_low_allowed’ boolean.You can read ‘wine_selinux’ man page for more details.
Do
setsebool -P mmap_low_allowed 1

***** Plugin catchall (5.76 confidence) suggests ***************************

If you believe that wine-preloader should be allowed mmap_zero access on the memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Objects [ memprotect ]
Source wine-preloader
Source Path wine-preloader
Port <Neznáme>
Host amd-pc
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.10.0-128.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name amd-pc
Platform Linux amd-pc 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3
06:35:17 UTC 2012 x86_64 x86_64
Alert Count 7
First Seen St 13. jún 2012, 15:22:48 CEST
Last Seen St 13. jún 2012, 15:23:11 CEST
Local ID a4457ab7-a2e2-47e4-9ab0-cd82957e473f

Raw Audit Messages
type=AVC msg=audit(1339593791.953:155): avc: denied { mmap_zero } for pid=15152 comm=“wine-preloader” scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect

Hash: wine-preloader,wine_t,wine_t,memprotect,mmap_zero

audit2allowunable to open /sys/fs/selinux/policy: Permission denied

audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied

Chel by som Vás poprosiť o radu, či to mám odignorovať alebo čo s tým mám spraviť.

Díky

Jak ti píše…

grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

nebo nastavit SELinux na permissive

setenforce, getenforce a /etc/selinux/config

Dík, a prosím Ťa ako by som ho nastavil na permissive. Neovplyvní mi to bezpečnosť? Alebo má selinux vypnúť (ako, som začiatočník :-))?Ktorú možnosť by ste mi odporúčali?

Ano, prepnuti selinuxu do permissive modu znamena ze bude situaci pouze monitorovat, ale nic nezakaze. Ovlivni to zabezpeceni systemu. Je to ale tvuj OS a muzes si s nim delat co chces. Pokud chces skutecne spustit tuto aplikaci, klidne selinux vypni. Vzdycky je ale potreba se rozmyslet, co tato chyba znamena. Pristup do low mem kernelu normalni aplikace nepotrebuji - ani z wine. Tzn. ja bych v prvni rade povazoval za podezrelou danou aplikaci.