few days ago I started working with Fedora 14. So far, so good, at least as far as the desktop machine goes (a laptop is another story and Kubuntu runs fine on another desktop). Something has just happened in Fedora which never happened to me before. Kate (an editor) got stuck and its memory (RAM) consumption went up through the roof to over 1.5 GB, so obviously it froze the system for a while. The process needed to be forcibly killed.

Now, it’s not entirely clear what happened there (maybe a program bug), but this is unusual and it looks bad for Fedora or for KDE (or the combination in Fedora 14 KDE spin). What did happen is that SELinux came up with an error implying that it stood in Kate’s way and maybe it’s partly responsible for this type of behaviour. It yielded the following error, implying that it was trying to help when in fact it seemed like it only stood in the way.

Summary:

SELinux is preventing /usr/bin/kate (deleted) “mmap_zero” access on <Unknown>.

Detailed Description:

SELinux denied access requested by kate. The current boolean settings do not
allow this access. If you have not setup kate to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

Confined processes can be configured to run requiring different access, SELinux
provides booleans to allow you to turn on/off access as needed. The boolean
mmap_low_allowed is set incorrectly.
Boolean Description:
Control the ability to mmap a low area of the address space, as configured by
/proc/sys/kernel/mmap_min_addr.

Fix Command:

# setsebool -P mmap_low_allowed 1

Additional Information:

Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ memprotect ]
Source kate
Source Path /usr/bin/kate (deleted)
Port &ltUnknown>
Host blueberry
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.7-3.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall_boolean
Host Name blueberry
Platform Linux blueberry 2.6.35.6-45.fc14.i686 #1 SMP Mon
Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count 112
First Seen Sun 14 Nov 2010 09:35:01 AM GMT
Last Seen Sun 14 Nov 2010 09:35:17 AM GMT
Local ID 4d9759c9-e672-475d-bf61-151d1688909a
Line Numbers

Raw Audit Messages

node=blueberry type=AVC msg=audit(1289727317.378:856): avc: denied { mmap_zero } for pid=1880 comm=”kate” scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect

node=blueberry type=SYSCALL msg=audit(1289727317.378:856): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=100000 a2=0 a3=4022 items=0 ppid=1629 pid=1880 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=”kate” exe=2F7573722F62696E2F6B617465202864656C6574656429 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

For years I’ve been working with no data loss, but this time I had to revert back to a previously-saved version of a document I worked on and then rewrite bits of it. Perhaps I had enough confidence in the system to only hit save (CTRL+S) once in a very long time. This experience has taught me to save my work more often but more importantly it showed that Fedora can act rather bizarrely where Kubuntu never did. As a result of this behaviour I was unable to save my work. SELinux implies there was an “attack” on the system, but obviously there was not.

 Add/view comments (3) |  Send this to a friend

This entry was posted on Sunday, November 14th, 2010 at 10:08 am and is filed under Linux, Rant. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.