Sunday, November 14th, 2010, 10:08 am
SELinux: Friend or Foe?
few days ago I started working with Fedora 14. So far, so good, at least as far as the desktop machine goes (a laptop is another story and Kubuntu runs fine on another desktop). Something has just happened in Fedora which never happened to me before. Kate (an editor) got stuck and its memory (RAM) consumption went up through the roof to over 1.5 GB, so obviously it froze the system for a while. The process needed to be forcibly killed.
Now, it’s not entirely clear what happened there (maybe a program bug), but this is unusual and it looks bad for Fedora or for KDE (or the combination in Fedora 14 KDE spin). What did happen is that SELinux came up with an error implying that it stood in Kate’s way and maybe it’s partly responsible for this type of behaviour. It yielded the following error, implying that it was trying to help when in fact it seemed like it only stood in the way.
Summary:
SELinux is preventing /usr/bin/kate (deleted) “mmap_zero” access on <Unknown>.
Detailed Description:
SELinux denied access requested by kate. The current boolean settings do not
allow this access. If you have not setup kate to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.Allowing Access:
Confined processes can be configured to run requiring different access, SELinux
provides booleans to allow you to turn on/off access as needed. The boolean
mmap_low_allowed is set incorrectly.
Boolean Description:
Control the ability to mmap a low area of the address space, as configured by
/proc/sys/kernel/mmap_min_addr.Fix Command:
# setsebool -P mmap_low_allowed 1
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ memprotect ]
Source kate
Source Path /usr/bin/kate (deleted)
Port <Unknown>
Host blueberry
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.7-3.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall_boolean
Host Name blueberry
Platform Linux blueberry 2.6.35.6-45.fc14.i686 #1 SMP Mon
Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count 112
First Seen Sun 14 Nov 2010 09:35:01 AM GMT
Last Seen Sun 14 Nov 2010 09:35:17 AM GMT
Local ID 4d9759c9-e672-475d-bf61-151d1688909a
Line NumbersRaw Audit Messages
node=blueberry type=AVC msg=audit(1289727317.378:856): avc: denied { mmap_zero } for pid=1880 comm=”kate” scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect
node=blueberry type=SYSCALL msg=audit(1289727317.378:856): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=100000 a2=0 a3=4022 items=0 ppid=1629 pid=1880 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=”kate” exe=2F7573722F62696E2F6B617465202864656C6574656429 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
For years I’ve been working with no data loss, but this time I had to revert back to a previously-saved version of a document I worked on and then rewrite bits of it. Perhaps I had enough confidence in the system to only hit save (CTRL+S) once in a very long time. This experience has taught me to save my work more often but more importantly it showed that Fedora can act rather bizarrely where Kubuntu never did. As a result of this behaviour I was unable to save my work. SELinux implies there was an “attack” on the system, but obviously there was not.
November 14th, 2010 at 2:44 pm
mmap_zero kate should never need to touch that. There was a code bug for sure.
Question how to trigger it again.
I have seen Kubuntu to equally strange things to me. Most likely mmap_zero event has happened because kate could not allocate memory. Something else most likely filled memory and got done in by OOM-killer.
Yes still a bug in kate. Kate should handle out of memory better and not tried to unallocate never allocated
November 14th, 2010 at 2:47 pm
Problem to say selinux is like a cannary in a coal mine it might point you in the wrong direction but that does not mean you system was not attacked by something. Run away program.
November 14th, 2010 at 8:02 pm
oiaohm,
OK, thanks. I will try to reproduce the error in days to come. It’s just that I’ve never (in several years) seen Kate do anything like this. It’s darn stable.