Re: A question about allow_unconfined_mmap_low in f11 amd selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2009-11-05 at 19:32 +0000, Mike Cloaked wrote:
> Mike Cloaked <mike.cloaked <at> gmail.com> writes:
> 
> > 
> > Daniel J Walsh <dwalsh <at> redhat.com> writes:
> > 
> > > 
> > > On 11/04/2009 10:23 AM, mike cloaked wrote:
> > 
> > > > By "moving forward" do you mean that one can, in f11, reset the
> > > > original boolean and set boolean mmap_low_allowed instead, in a
> > > > forthcoming policy update?
> > > > 
> > > > Or is this a planned change coming for f12 but not yet policy in
> > > > earlier versions?
> > > > 
> > > > Thanks
> > > > 
> > > We have setroubleshoot plugins that explain exactly to the users what
> > they need to do to turn make their wine
> > > apps run.
> > > 
> > 
> > Does the dereference fix in kernel-2.6.30.9-96.fc11 address the issue raised 
> > here or have I got this wrong?
> > 
> 
> I am somewhat confused by the following - I thought that if mmap_min_addr
> was >0 then you are not vulnerable.  I also thought that installing wine, OR
> Crossover would set it to zero.

Only on Ubuntu and then I believe only WINE.  We do not ever set/allow
this by default (at least not that I know of, and if we do please let me
know, I'll whack someone with a clue-by-four)
 
> I have Crossover installed and not wine, and just checked:
> [mike@home1 ~]$ cat /proc/sys/vm/mmap_min_addr 
> 65536
> 
> This is an f11 box.  I also set the boolean by doing
> # setsebool -P allow_unconfined_mmap_low 1

Bad news!  For maximum protection would want that bool off.  You do not
want to ALLOW unconfined to mmap low memory.

-Eric

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux