Same error with this topic:
- I’m not having problems with any application at the moment, but I would like to fix this as I don’t want hackers to take advantage of it.
SELinux is preventing check from mmap_zero access on the memprotect labeled spc_t.
***** Plugin mmap_zero (53.1 confidence) suggests *************************
If you do not think check should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests ******************
If you want to allow mmap to low allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
Do
setsebool -P mmap_low_allowed 1
***** Plugin catchall (5.76 confidence) suggests **************************
If you believe that check should be allowed mmap_zero access on memprotect labeled spc_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'check' --raw | audit2allow -M my-check
# semodule -X 300 -i my-check.pp
Additional Information:
Source Context system_u:system_r:spc_t:s0
Target Context system_u:system_r:spc_t:s0
Target Objects Unknown [ memprotect ]
Source check
Source Path check
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.15-1.fc38.noarch
Local Policy RPM selinux-policy-targeted-38.15-1.fc38.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fedora
Platform Linux fedora 6.3.5-200.fc38.x86_64 #1 SMP
PREEMPT_DYNAMIC Tue May 30 15:44:17 UTC 2023
x86_64
Alert Count 30
First Seen 2023-05-26 09:43:20 +03
Last Seen 2023-05-26 11:01:03 +03
Local ID 0952e99c-7080-4d9e-9e5f-1e5c88a08025
Raw Audit Messages
type=AVC msg=audit(1685088063.531:1310): avc: denied { mmap_zero } for pid=44040 comm="check" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0
Hash: check,spc_t,spc_t,memprotect,mmap_zero
rpm -q R-core ─╯
package R-core is not installed
cat /usr/lib64/R/bin/check ─╯
cat: /usr/lib64/R/bin/check: No such file or directory
Other mkdir error:
- Docker is installed but I turned it off via systemctl.(docker.socket and docker.)
SELinux is preventing mkdir from write access on the directory assets.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow mkdir to have write access on the assets directory
Then you need to change the label on assets
Do
# semanage fcontext -a -t FILE_TYPE 'assets'
where FILE_TYPE is one of the following: container_file_t, container_var_lib_t, fusefs_t, hugetlbfs_t, nfs_t, svirt_home_t, tmpfs_t, virt_home_t.
Then execute:
restorecon -v 'assets'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that mkdir should be allowed write access on the assets directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mkdir' --raw | audit2allow -M my-mkdir
# semodule -X 300 -i my-mkdir.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c374,c656
Target Context unconfined_u:object_r:var_lib_t:s0
Target Objects assets [ dir ]
Source mkdir
Source Path mkdir
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.15-1.fc38.noarch
Local Policy RPM selinux-policy-targeted-38.15-1.fc38.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fedora
Platform Linux fedora 6.3.5-200.fc38.x86_64 #1 SMP
PREEMPT_DYNAMIC Tue May 30 15:44:17 UTC 2023
x86_64
Alert Count 3
First Seen 2023-05-26 09:45:56 +03
Last Seen 2023-05-26 09:45:56 +03
Local ID 2b3c892d-e341-4a9c-918b-156950527005
Raw Audit Messages
type=AVC msg=audit(1685083556.334:334): avc: denied { write } for pid=10255 comm="mkdir" name="assets" dev="nvme0n1p2" ino=945480 scontext=system_u:system_r:container_t:s0:c374,c656 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Hash: mkdir,container_t,var_lib_t,dir,write