On Wed, Sep 01, 2010 at 08:36:22PM -0400, Genes MailLists wrote: > On 09/01/2010 07:24 PM, Dominick Grift wrote: > > On Wed, Sep 01, 2010 at 03:49:14PM -0700, Antonio Olivares wrote: > > .. > > >> > >> Fix Command: > >> > >> /usr/sbin/setsebool -P mmap_low_allowed 1 > >> > > > > There is a boolean that one can toggle to silently deny this access vector: > > > > setsebool -P wine_mmap_zero_ignore on > > > > Again, This will not allow wine to mmap low (which is a dangerous ability), but instead it will hide attempt by wine to do so. > > > It would feel a lot less worrisome if the prev bool was resricted to > wine only in case of need: > > setsebool -P wine_mmap_low_allowed 1 > > instead of mmap_low_allowed It is not like every process is allowed to mmap low when mmap_low_allowed is set to true. Only few domains are tagged to be allowed this access: vbetool wine unconfined domains As for unconfined domains: it makes sense that these domains have "unconfined" access. You can remove the unconfined module though, That would turn the unconfined domains into confined domains, and thus if you do that then only vbetool and wime will be allowed to mmap low if you set mmap_low_allowed to true. > > gene/
Attachment:
pgpxARqPFyWg7.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
