A question about allow_unconfined_mmap_low in f11 amd selinux
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 4 15:49:50 UTC 2009
On 11/04/2009 10:23 AM, mike cloaked wrote:
> Daniel J Walsh <dwalsh <at> redhat.com> writes:
>
>> You can run with SELinux in enforcement.
>>
>> mmap_low_allowed is the name of the boolean moving forward.
>>
>
> By "moving forward" do you mean that one can, in f11, reset the
> original boolean and set boolean mmap_low_allowed instead, in a
> forthcoming policy update?
>
> Or is this a planned change coming for f12 but not yet policy in
> earlier versions?
>
> Thanks
>
allow_unconfined_mmap_zero boolean meant to allow unconfined_domains to mmap_zero.
vbetool_exec_t and wine_exec_t have this capability without the boolean.
We have removed that altogether.
Now out of the box NO apps will have the ability to mmap_zero. If you want to run wine or vbetool(Hopefully fixed soon)
You will have to set the boolean. All unconfined_domains will continue then also have this access.
This access has proven to be a critical security feature, and several kernel/root vulnerabilities will be prevented by turning this boolean off, with the only down side, preventing old windows applications from running by default in wine. (If vbetool is fixed).
More information about the fedora-devel-list
mailing list