SELinux is preventing check from mmap_zero on the memprotect labeled spc_t

cyber-syntax · June 7, 2023, 3:28pm

Same error with this topic:

I’m not having problems with any application at the moment, but I would like to fix this as I don’t want hackers to take advantage of it.

SELinux is preventing check from mmap_zero access on the memprotect labeled spc_t.

*****  Plugin mmap_zero (53.1 confidence) suggests   *************************

If you do not think check should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow mmap to low allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.

Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that check should be allowed mmap_zero access on memprotect labeled spc_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'check' --raw | audit2allow -M my-check
# semodule -X 300 -i my-check.pp


Additional Information:
Source Context                system_u:system_r:spc_t:s0
Target Context                system_u:system_r:spc_t:s0
Target Objects                Unknown [ memprotect ]
Source                        check
Source Path                   check
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-38.15-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.15-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.3.5-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue May 30 15:44:17 UTC 2023
                              x86_64
Alert Count                   30
First Seen                    2023-05-26 09:43:20 +03
Last Seen                     2023-05-26 11:01:03 +03
Local ID                      0952e99c-7080-4d9e-9e5f-1e5c88a08025

Raw Audit Messages
type=AVC msg=audit(1685088063.531:1310): avc:  denied  { mmap_zero } for  pid=44040 comm="check" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0


Hash: check,spc_t,spc_t,memprotect,mmap_zero

rpm -q R-core                                                         ─╯
package R-core is not installed

cat /usr/lib64/R/bin/check                                            ─╯
cat: /usr/lib64/R/bin/check: No such file or directory

Other mkdir error:

Docker is installed but I turned it off via systemctl.(docker.socket and docker.)

SELinux is preventing mkdir from write access on the directory assets.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow mkdir to have write access on the assets directory
Then you need to change the label on assets
Do
# semanage fcontext -a -t FILE_TYPE 'assets'
where FILE_TYPE is one of the following: container_file_t, container_var_lib_t, fusefs_t, hugetlbfs_t, nfs_t, svirt_home_t, tmpfs_t, virt_home_t.
Then execute:
restorecon -v 'assets'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that mkdir should be allowed write access on the assets directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mkdir' --raw | audit2allow -M my-mkdir
# semodule -X 300 -i my-mkdir.pp


Additional Information:
Source Context                system_u:system_r:container_t:s0:c374,c656
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                assets [ dir ]
Source                        mkdir
Source Path                   mkdir
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-38.15-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.15-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.3.5-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue May 30 15:44:17 UTC 2023
                              x86_64
Alert Count                   3
First Seen                    2023-05-26 09:45:56 +03
Last Seen                     2023-05-26 09:45:56 +03
Local ID                      2b3c892d-e341-4a9c-918b-156950527005

Raw Audit Messages
type=AVC msg=audit(1685083556.334:334): avc:  denied  { write } for  pid=10255 comm="mkdir" name="assets" dev="nvme0n1p2" ino=945480 scontext=system_u:system_r:container_t:s0:c374,c656 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0


Hash: mkdir,container_t,var_lib_t,dir,write