[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: A question about allow_unconfined_mmap_low in f11 amd selinux



On 11/04/2009 10:23 AM, mike cloaked wrote:
> Daniel J Walsh <dwalsh <at> redhat.com> writes:
> 
>> You can run with SELinux in enforcement.
>>
>> mmap_low_allowed is the name of the boolean moving forward.
>>
> 
> By "moving forward" do you mean that one can, in f11, reset the
> original boolean and set boolean mmap_low_allowed instead, in a
> forthcoming policy update?
> 
> Or is this a planned change coming for f12 but not yet policy in
> earlier versions?
> 
> Thanks
> 
allow_unconfined_mmap_zero boolean meant to allow unconfined_domains to mmap_zero.
vbetool_exec_t and wine_exec_t have this capability without the boolean.

We have removed that altogether.  

Now out of the box NO apps will have the ability to mmap_zero.  If you want to run wine or vbetool(Hopefully fixed soon)
You will have to set the boolean.  All unconfined_domains will continue then also have this access.

This access has proven to be a critical security feature, and several kernel/root vulnerabilities will be prevented by turning this boolean off, with the only down side, preventing old windows applications from running by default in wine.   (If vbetool is fixed).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]