On 11/04/2009 10:23 AM, mike cloaked wrote: > Daniel J Walsh <dwalsh <at> redhat.com> writes: > >> You can run with SELinux in enforcement. >> >> mmap_low_allowed is the name of the boolean moving forward. >> > > By "moving forward" do you mean that one can, in f11, reset the > original boolean and set boolean mmap_low_allowed instead, in a > forthcoming policy update? > > Or is this a planned change coming for f12 but not yet policy in > earlier versions? > > Thanks > allow_unconfined_mmap_zero boolean meant to allow unconfined_domains to mmap_zero. vbetool_exec_t and wine_exec_t have this capability without the boolean. We have removed that altogether. Now out of the box NO apps will have the ability to mmap_zero. If you want to run wine or vbetool(Hopefully fixed soon) You will have to set the boolean. All unconfined_domains will continue then also have this access. This access has proven to be a critical security feature, and several kernel/root vulnerabilities will be prevented by turning this boolean off, with the only down side, preventing old windows applications from running by default in wine. (If vbetool is fixed). -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
