A question about allow_unconfined_mmap_low in f11 amd selinux
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 4 14:45:46 UTC 2009
On 11/03/2009 04:35 PM, Adam Jackson wrote:
> On Tue, 2009-11-03 at 21:31 +0000, Mike Cloaked wrote:
>> For people running wine or Crossover and using MS Office 2003 and related codes
>> it is necessary to do:
>> # setsebool -P allow_unconfined_mmap_low 1
>> To prevent AVC denials.
>>
>> However there is recent publicity at
>> http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
>> which highlights that there is still a vulnerability in the kernel if this is
>> set.
>>
>> For people running f11 with this boolean set how can one run wine and still
>> remain secure? i.e. what should an admin do to protect the system?
>
> You can't.
>
> If I'm being slightly less flip: run wine in a kvm instance with selinux
> disabled, forward X to the host.
>
> - ajax
>
You can run with SELinux in enforcement.
mmap_low_allowed is the name of the boolean moving forward.
More information about the fedora-devel-list
mailing list