A question about allow_unconfined_mmap_low in f11 amd selinux
Adam Jackson
ajax at redhat.com
Tue Nov 3 21:35:13 UTC 2009
On Tue, 2009-11-03 at 21:31 +0000, Mike Cloaked wrote:
> For people running wine or Crossover and using MS Office 2003 and related codes
> it is necessary to do:
> # setsebool -P allow_unconfined_mmap_low 1
> To prevent AVC denials.
>
> However there is recent publicity at
> http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
> which highlights that there is still a vulnerability in the kernel if this is
> set.
>
> For people running f11 with this boolean set how can one run wine and still
> remain secure? i.e. what should an admin do to protect the system?
You can't.
If I'm being slightly less flip: run wine in a kvm instance with selinux
disabled, forward X to the host.
- ajax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091103/a50ae38b/attachment.sig>
More information about the fedora-devel-list
mailing list