On Thu, 2009-11-05 at 19:32 +0000, Mike Cloaked wrote: > Mike Cloaked <mike.cloaked <at> gmail.com> writes: > > > > > Daniel J Walsh <dwalsh <at> redhat.com> writes: > > > > > > > > On 11/04/2009 10:23 AM, mike cloaked wrote: > > > > > > By "moving forward" do you mean that one can, in f11, reset the > > > > original boolean and set boolean mmap_low_allowed instead, in a > > > > forthcoming policy update? > > > > > > > > Or is this a planned change coming for f12 but not yet policy in > > > > earlier versions? > > > > > > > > Thanks > > > > > > > We have setroubleshoot plugins that explain exactly to the users what > > they need to do to turn make their wine > > > apps run. > > > > > > > Does the dereference fix in kernel-2.6.30.9-96.fc11 address the issue raised > > here or have I got this wrong? > > > > I am somewhat confused by the following - I thought that if mmap_min_addr > was >0 then you are not vulnerable. I also thought that installing wine, OR > Crossover would set it to zero. Only on Ubuntu and then I believe only WINE. We do not ever set/allow this by default (at least not that I know of, and if we do please let me know, I'll whack someone with a clue-by-four) > I have Crossover installed and not wine, and just checked: > [mike@home1 ~]$ cat /proc/sys/vm/mmap_min_addr > 65536 > > This is an f11 box. I also set the boolean by doing > # setsebool -P allow_unconfined_mmap_low 1 Bad news! For maximum protection would want that bool off. You do not want to ALLOW unconfined to mmap low memory. -Eric -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
