Deciphering an SELinux warning

I have an SELinux warning SELinux is preventing check from mmap_zero access on the memprotect labeled spc_t. When I google this I don’t find anything obviously the same. How can I determine if this is a serious breach or not? I don’t see how i actually can find out what check is. Full SELinux output below

*****  Plugin mmap_zero (53.1 confidence) suggests   *************************

If you do not think check should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow mmap to low allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.

Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that check should be allowed mmap_zero access on memprotect labeled spc_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'check' --raw | audit2allow -M my-check
# semodule -X 300 -i my-check.pp

Additional Information:
Source Context                system_u:system_r:spc_t:s0
Target Context                system_u:system_r:spc_t:s0
Target Objects                Unknown [ memprotect ]
Source                        check
Source Path                   check
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.17-1.fc36.noarch
Local Policy RPM              container-selinux-2.199.0-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.1.10-100.fc36.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Feb  6 19:58:39 UTC 2023
                              x86_64 x86_64
Alert Count                   60
First Seen                    2023-02-14 22:54:15 CET
Last Seen                     2023-02-14 22:54:15 CET
Local ID                      1ad5dfc6-2b85-422c-9f31-0fee1cf5f868

Raw Audit Messages
type=AVC msg=audit(1676411655.509:366): avc:  denied  { mmap_zero } for  pid=2984 comm="check" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0


Hash: check,spc_t,spc_t,memprotect,mmap_zero

mmap_zero allows access to an area of memory that a hacker could potentially use to gain unlimited access to your system. It looks like spc_t is a label that is mainly used by (docker?) containers. So I guess your question is, “Should I allow my Docker containers access to memory ranges that can be used to exploit the host system?” Unless this selinux error is causing something that you really need not to work, you probably shouldn’t allow that access. That said, there appear to be a handful of programs that do require it to function.

From Dan Walsh’s Blog – Confining the unconfined. Oxymoron?:

The only confined applications that have the mmap_zero privilege in RHEL5 are vbetool, xdm, xserver and wine.

See also: https://lwn.net/Articles/342573/

P.S. This comment on a bug report appears to indicate that you could silence these selinux messages (without granting the privilege) by running the following command.

# dontaudit spc_t self:memprotect mmap_zero
1 Like