A question about allow_unconfined_mmap_low in f11 amd selinux
Eric Paris
eparis at redhat.com
Mon Nov 9 17:17:31 UTC 2009
On Thu, 2009-11-05 at 19:32 +0000, Mike Cloaked wrote:
> Mike Cloaked <mike.cloaked <at> gmail.com> writes:
>
> >
> > Daniel J Walsh <dwalsh <at> redhat.com> writes:
> >
> > >
> > > On 11/04/2009 10:23 AM, mike cloaked wrote:
> >
> > > > By "moving forward" do you mean that one can, in f11, reset the
> > > > original boolean and set boolean mmap_low_allowed instead, in a
> > > > forthcoming policy update?
> > > >
> > > > Or is this a planned change coming for f12 but not yet policy in
> > > > earlier versions?
> > > >
> > > > Thanks
> > > >
> > > We have setroubleshoot plugins that explain exactly to the users what
> > they need to do to turn make their wine
> > > apps run.
> > >
> >
> > Does the dereference fix in kernel-2.6.30.9-96.fc11 address the issue raised
> > here or have I got this wrong?
> >
>
> I am somewhat confused by the following - I thought that if mmap_min_addr
> was >0 then you are not vulnerable. I also thought that installing wine, OR
> Crossover would set it to zero.
Only on Ubuntu and then I believe only WINE. We do not ever set/allow
this by default (at least not that I know of, and if we do please let me
know, I'll whack someone with a clue-by-four)
> I have Crossover installed and not wine, and just checked:
> [mike at home1 ~]$ cat /proc/sys/vm/mmap_min_addr
> 65536
>
> This is an f11 box. I also set the boolean by doing
> # setsebool -P allow_unconfined_mmap_low 1
Bad news! For maximum protection would want that bool off. You do not
want to ALLOW unconfined to mmap low memory.
-Eric
More information about the fedora-devel-list
mailing list