[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: A question about allow_unconfined_mmap_low in f11 amd selinux



On Thu, 2009-11-05 at 19:32 +0000, Mike Cloaked wrote:
> Mike Cloaked <mike.cloaked <at> gmail.com> writes:
> 
> > 
> > Daniel J Walsh <dwalsh <at> redhat.com> writes:
> > 
> > > 
> > > On 11/04/2009 10:23 AM, mike cloaked wrote:
> > 
> > > > By "moving forward" do you mean that one can, in f11, reset the
> > > > original boolean and set boolean mmap_low_allowed instead, in a
> > > > forthcoming policy update?
> > > > 
> > > > Or is this a planned change coming for f12 but not yet policy in
> > > > earlier versions?
> > > > 
> > > > Thanks
> > > > 
> > > We have setroubleshoot plugins that explain exactly to the users what
> > they need to do to turn make their wine
> > > apps run.
> > > 
> > 
> > Does the dereference fix in kernel-2.6.30.9-96.fc11 address the issue raised 
> > here or have I got this wrong?
> > 
> 
> I am somewhat confused by the following - I thought that if mmap_min_addr
> was >0 then you are not vulnerable.  I also thought that installing wine, OR
> Crossover would set it to zero.

Only on Ubuntu and then I believe only WINE.  We do not ever set/allow
this by default (at least not that I know of, and if we do please let me
know, I'll whack someone with a clue-by-four)
 
> I have Crossover installed and not wine, and just checked:
> [mike home1 ~]$ cat /proc/sys/vm/mmap_min_addr 
> 65536
> 
> This is an f11 box.  I also set the boolean by doing
> # setsebool -P allow_unconfined_mmap_low 1

Bad news!  For maximum protection would want that bool off.  You do not
want to ALLOW unconfined to mmap low memory.

-Eric


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]