I want to turn on a part of the kernel to make SELinux checking more stringent.

Daniel J Walsh dwalsh at redhat.com
Mon Jan 27 15:45:05 UTC 2014

Hash: SHA1

On 01/26/2014 03:49 PM, Andrew Lutomirski wrote:
> On Sun, Jan 26, 2014 at 12:38 PM, Richard W.M. Jones <rjones at redhat.com>
> wrote:
>> Slightly OT, but is SELinux stopping programs from executing code at 
>> address zero?  (And how can I stop it doing that?)
>> JONESFORTH, a public domain FORTH I wrote, is written in x86 assembler 
>> and prefers to put its threaded interpreter at address 0.  This worked 
>> fine before, but has now stopped working, and this is reported to be due
>> to SELinux.
> IIRC, in new kernels, /proc/sys/vm/mmap_min_addr and MAC policy both have
> to allow the mmap call.  In older kernels, only one of them had to allow
> it.
> Maybe some day SMAP-capable machines (e.g. Haswell, I think) will ignore
> these settings entirely -- I think that SMAP covers all the cases that
> mmap_min_addr was meant to pretect against.
> --Andy
setsebool -P mmap_low_allowed 1

Will turn off this protection from an SELinux point of view, although you
should be careful with this.
>> http://rwmj.wordpress.com/2010/08/07/jonesforth-git-repository/#comment-6591
>> -- Richard Jones, Virtualization Group, Red Hat
>> http://people.redhat.com/~rjones virt-df lists disk usage of guests
>> without needing to install any software inside the virtual machine.
>> Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ -- 
>> devel mailing list devel at lists.fedoraproject.org 
>> https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of
>> Conduct: http://fedoraproject.org/code-of-conduct

Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the devel mailing list