Would SELinux prevent that with the current policy?
James Morris
jmorris at namei.org
Sun Jul 19 23:00:39 UTC 2009
On Sun, 19 Jul 2009, Christoph H?ger wrote:
> > But for those that use the policy defaults i am sorry because they are
> > (more) vulnerable to this issue,
>
> More? In what way can SELinux make you _more_ vulnerable? LSM are
> stackable, right? So basically all SELinux could do is restrict access
> and not allow access that already is denied by the dummy LSM, or not?
Usually, but in this case, the problem is that SELinux (and this could
happen to any LSM, really) allowed more access than the configured
default.
We want to be able to use MAC policy to allow applications to mmap low
memory. There does not seem to be a really great solution which avoids
the problem of then allowing more access than would otherwise be allowed.
Consider, though, that you you wanted to run wine on a standard system,
you would disable mmap_min_addr entirely for everything on the system.
Most people will probably not need to do that and have it set at the
normal value.
Perhaps what we should do is never allow SELinux policy to reduce the
protection level here, which would mean that if someone wants to allow an
app to mmap low memory, they have to:
a) disable protection globally via the sysctl
b) then depend entirely on SELinux to enforce it except for domains
with the mmap_zero permission
So, IOW, the SELinux permission won't have any effect until the admin
removes the "DAC" control globally.
- James
--
James Morris
<jmorris at namei.org>
More information about the fedora-selinux-list
mailing list