I want to turn on a part of the kernel to make SELinux checking more stringent.
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 27 15:45:05 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/26/2014 03:49 PM, Andrew Lutomirski wrote:
> On Sun, Jan 26, 2014 at 12:38 PM, Richard W.M. Jones <rjones at redhat.com>
> wrote:
>> Slightly OT, but is SELinux stopping programs from executing code at
>> address zero? (And how can I stop it doing that?)
>>
>> JONESFORTH, a public domain FORTH I wrote, is written in x86 assembler
>> and prefers to put its threaded interpreter at address 0. This worked
>> fine before, but has now stopped working, and this is reported to be due
>> to SELinux.
>
> IIRC, in new kernels, /proc/sys/vm/mmap_min_addr and MAC policy both have
> to allow the mmap call. In older kernels, only one of them had to allow
> it.
>
> Maybe some day SMAP-capable machines (e.g. Haswell, I think) will ignore
> these settings entirely -- I think that SMAP covers all the cases that
> mmap_min_addr was meant to pretect against.
>
> --Andy
>
setsebool -P mmap_low_allowed 1
Will turn off this protection from an SELinux point of view, although you
should be careful with this.
>>
>> http://rwmj.wordpress.com/2010/08/07/jonesforth-git-repository/#comment-6591
>>
>>
>>
>>
Rich.
>>
>> -- Richard Jones, Virtualization Group, Red Hat
>> http://people.redhat.com/~rjones virt-df lists disk usage of guests
>> without needing to install any software inside the virtual machine.
>> Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ --
>> devel mailing list devel at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of
>> Conduct: http://fedoraproject.org/code-of-conduct
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLmfwEACgkQrlYvE4MpobOECwCfVZ5Q7fMjcYQQ/KHRZF2krmq3
07EAn0BUTIuX/i3WtlEd3MBaMXqpj5Xl
=dnIj
-----END PGP SIGNATURE-----
More information about the devel
mailing list