A question about allow_unconfined_mmap_low in f11 amd selinux
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 9 21:24:26 UTC 2009
On 11/09/2009 03:15 PM, Justin wrote:
> On Mon, Nov 9, 2009 at 2:40 PM, Mike Cloaked <mike.cloaked at gmail.com> wrote:
>> Eric Paris <eparis <at> redhat.com> writes:
>>
>>>> I have Crossover installed and not wine, and just checked:
>>>> [mike <at> home1 ~]$ cat /proc/sys/vm/mmap_min_addr
>>>> 65536
>>>>
>>>> This is an f11 box. I also set the boolean by doing
>>>> # setsebool -P allow_unconfined_mmap_low 1
>>>
>>> Bad news! For maximum protection would want that bool off. You do not
>>> want to ALLOW unconfined to mmap low memory.
>>>
>>> -Eric
>>
>> Many thanks Eric - I just tried unsetting the boolean -
>> # setsebool -P allow_unconfined_mmap_low 0
>>
>> Excel and Word 2003 still run in Crossover after resetting it without AVCs
>> popping up - I will unset it in the other machines where I have this also -
>> I guess selinux policy may have changed so that setting it as I did originally
>> is no longer necessary.
>
> Really? For me there is no "allow_unconfined_mmap_low" at all and I'm
> definitely still getting the error with any Wine application with
> mmap_low_allowed set to 0.
>
> selinux-policy-3.6.32-41.fc12.noarch
>
The name has changed between RHEL5 - allow_unconfined_mmap_low and F12 - mmap_low_allowed
The meaning has also changed
in RHEL5
unconfined domains are allowed to mmap_low if the boolean is set. vbetool and wine are allowed whether or not the boolean is set.
In F12
No domains are allowed to mmap_low unless the boolean is set. If it is set wine, vbetool and unconfined domains are allowed to mmap_zero.
One of you is running wine in RHEL5 which is allowed to mmap_zero without the boolean. We changed this in F12 so that wine will break without the boolean set.
More information about the devel
mailing list