[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: A question about allow_unconfined_mmap_low in f11 amd selinux



On 11/03/2009 04:35 PM, Adam Jackson wrote:
> On Tue, 2009-11-03 at 21:31 +0000, Mike Cloaked wrote:
>> For people running wine or Crossover and using MS Office 2003 and related codes
>> it is necessary to do:
>> # setsebool -P allow_unconfined_mmap_low 1
>> To prevent AVC denials.
>>
>> However there is recent publicity at 
>> http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
>> which highlights that there is still a vulnerability in the kernel if this is
>> set.
>>
>> For people running f11 with this boolean set how can one run wine and still
>> remain secure? i.e. what should an admin do to protect the system?
> 
> You can't.
> 
> If I'm being slightly less flip: run wine in a kvm instance with selinux
> disabled, forward X to the host.
> 
> - ajax
> 

You can run with SELinux in enforcement.  

mmap_low_allowed is the name of the boolean moving forward.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]