A question about allow_unconfined_mmap_low in f11 amd selinux
Mike Cloaked
mike.cloaked at gmail.com
Tue Nov 10 10:36:32 UTC 2009
Daniel J Walsh <dwalsh <at> redhat.com> writes:
> The name has changed between RHEL5 - allow_unconfined_mmap_low and F12 -
mmap_low_allowed
>
> The meaning has also changed
>
> in RHEL5
>
> unconfined domains are allowed to mmap_low if the boolean is set. vbetool
> and wine are allowed whether or
> not the boolean is set.
>
> In F12
> No domains are allowed to mmap_low unless the boolean is set. If it is
> set wine, vbetool and unconfined
> domains are allowed to mmap_zero.
>
> One of you is running wine in RHEL5 which is allowed to mmap_zero without
> the boolean. We changed this in F12
> so that wine will break without the boolean set.
There is an interesting thing I just found - in F11 without the bool set I can
run MS Word 2003 in Crossover (i.e. effectively wine) and open a .doc file
without any AVC popping up.
However from a webmail interface opened in Firefox, and clicking on a .doc
attachment, trying to open it via an association link to Word 2003 in Crossover
immediately gives an AVC denial for wine-preloader and suggests allowing the
bool! However the file does seem to open nevertheless!!
More information about the fedora-devel-list
mailing list