On 11/09/2009 03:15 PM, Justin wrote: > On Mon, Nov 9, 2009 at 2:40 PM, Mike Cloaked <mike.cloaked@xxxxxxxxx> wrote: >> Eric Paris <eparis <at> redhat.com> writes: >> >>>> I have Crossover installed and not wine, and just checked: >>>> [mike <at> home1 ~]$ cat /proc/sys/vm/mmap_min_addr >>>> 65536 >>>> >>>> This is an f11 box. I also set the boolean by doing >>>> # setsebool -P allow_unconfined_mmap_low 1 >>> >>> Bad news! For maximum protection would want that bool off. You do not >>> want to ALLOW unconfined to mmap low memory. >>> >>> -Eric >> >> Many thanks Eric - I just tried unsetting the boolean - >> # setsebool -P allow_unconfined_mmap_low 0 >> >> Excel and Word 2003 still run in Crossover after resetting it without AVCs >> popping up - I will unset it in the other machines where I have this also - >> I guess selinux policy may have changed so that setting it as I did originally >> is no longer necessary. > > Really? For me there is no "allow_unconfined_mmap_low" at all and I'm > definitely still getting the error with any Wine application with > mmap_low_allowed set to 0. > > selinux-policy-3.6.32-41.fc12.noarch > The name has changed between RHEL5 - allow_unconfined_mmap_low and F12 - mmap_low_allowed The meaning has also changed in RHEL5 unconfined domains are allowed to mmap_low if the boolean is set. vbetool and wine are allowed whether or not the boolean is set. In F12 No domains are allowed to mmap_low unless the boolean is set. If it is set wine, vbetool and unconfined domains are allowed to mmap_zero. One of you is running wine in RHEL5 which is allowed to mmap_zero without the boolean. We changed this in F12 so that wine will break without the boolean set. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
