Allow unconfined domains to mmap low conditionally.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 416e668... a1bfac5... M policy/modules/system/unconfined.if
policy/modules/system/unconfined.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 416e668..a1bfac5 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',`
kernel_unconfined($1)
corenet_unconfined($1)
dev_unconfined($1)
+ domain_mmap_low($1)
domain_unconfined($1)
domain_dontaudit_read_all_domains_state($1)
domain_dontaudit_ptrace_all_domains($1)
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100901/67528464/attachment.bin
On 09/01/10 11:54, Dominick Grift wrote:
> Allow unconfined domains to mmap low conditionally.
I'm very concerned about adding this to all unconfined domains, even if
its conditional.
Is this from the Fedora policy?
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 416e668... a1bfac5... M policy/modules/system/unconfined.if
> policy/modules/system/unconfined.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index 416e668..a1bfac5 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',`
> kernel_unconfined($1)
> corenet_unconfined($1)
> dev_unconfined($1)
> + domain_mmap_low($1)
> domain_unconfined($1)
> domain_dontaudit_read_all_domains_state($1)
> domain_dontaudit_ptrace_all_domains($1)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/03/2010 10:53 AM, Christopher J. PeBenito wrote:
> On 09/01/10 11:54, Dominick Grift wrote:
>> Allow unconfined domains to mmap low conditionally.
>
> I'm very concerned about adding this to all unconfined domains, even if
> its conditional.
>
> Is this from the Fedora policy?
>
>> Signed-off-by: Dominick Grift<[email protected]>
>> ---
>> :100644 100644 416e668... a1bfac5... M policy/modules/system/unconfined.if
>> policy/modules/system/unconfined.if | 1 +
>> 1 files changed, 1 insertions(+), 0 deletions(-)
>>
>> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
>> index 416e668..a1bfac5 100644
>> --- a/policy/modules/system/unconfined.if
>> +++ b/policy/modules/system/unconfined.if
>> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',`
>> kernel_unconfined($1)
>> corenet_unconfined($1)
>> dev_unconfined($1)
>> + domain_mmap_low($1)
>> domain_unconfined($1)
>> domain_dontaudit_read_all_domains_state($1)
>> domain_dontaudit_ptrace_all_domains($1)
>
Yes. The problem is not adding it, proves to be useless. Since an
unconfined domain can do
Download mmap_zero_breakin /tmp/
chcon -t wine_exec_t /tmp/mmap_zero_breakin
/tmp/mmap_zero_breakin
Removing this line will just cause AVC's from random wine apps and add
no security.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyBDJ4ACgkQrlYvE4MpobPSBwCfXPwVcpNDSzXaqshzPD95Tr9J
HuYAnipz0i0ey2+08mmEcxw465ti3Z7I
=1iju
-----END PGP SIGNATURE-----
On 09/03/10 10:56, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/03/2010 10:53 AM, Christopher J. PeBenito wrote:
>> On 09/01/10 11:54, Dominick Grift wrote:
>>> Allow unconfined domains to mmap low conditionally.
>>
>> I'm very concerned about adding this to all unconfined domains, even if
>> its conditional.
>>
>> Is this from the Fedora policy?
>>
>>> Signed-off-by: Dominick Grift<[email protected]>
>>> ---
>>> :100644 100644 416e668... a1bfac5... M policy/modules/system/unconfined.if
>>> policy/modules/system/unconfined.if | 1 +
>>> 1 files changed, 1 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
>>> index 416e668..a1bfac5 100644
>>> --- a/policy/modules/system/unconfined.if
>>> +++ b/policy/modules/system/unconfined.if
>>> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',`
>>> kernel_unconfined($1)
>>> corenet_unconfined($1)
>>> dev_unconfined($1)
>>> + domain_mmap_low($1)
>>> domain_unconfined($1)
>>> domain_dontaudit_read_all_domains_state($1)
>>> domain_dontaudit_ptrace_all_domains($1)
>>
>
> Yes. The problem is not adding it, proves to be useless. Since an
> unconfined domain can do
>
> Download mmap_zero_breakin /tmp/
> chcon -t wine_exec_t /tmp/mmap_zero_breakin
> /tmp/mmap_zero_breakin
>
> Removing this line will just cause AVC's from random wine apps and add
> no security.
Thats true, assuming any of the 3 domains that have the permission are
in the policy. However, it's legitimate uses are so uncommon that I'm
not willing to add it to unconfined. As for wine, if I recall
correctly, you told me wine only needs it for 16bit DOS apps, so random
wine apps hitting this seems unlikely.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/03/2010 11:14 AM, Christopher J. PeBenito wrote:
> On 09/03/10 10:56, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 09/03/2010 10:53 AM, Christopher J. PeBenito wrote:
>>> On 09/01/10 11:54, Dominick Grift wrote:
>>>> Allow unconfined domains to mmap low conditionally.
>>>
>>> I'm very concerned about adding this to all unconfined domains, even if
>>> its conditional.
>>>
>>> Is this from the Fedora policy?
>>>
>>>> Signed-off-by: Dominick Grift<[email protected]>
>>>> ---
>>>> :100644 100644 416e668... a1bfac5... M
>>>> policy/modules/system/unconfined.if
>>>> policy/modules/system/unconfined.if | 1 +
>>>> 1 files changed, 1 insertions(+), 0 deletions(-)
>>>>
>>>> diff --git a/policy/modules/system/unconfined.if
>>>> b/policy/modules/system/unconfined.if
>>>> index 416e668..a1bfac5 100644
>>>> --- a/policy/modules/system/unconfined.if
>>>> +++ b/policy/modules/system/unconfined.if
>>>> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',`
>>>> kernel_unconfined($1)
>>>> corenet_unconfined($1)
>>>> dev_unconfined($1)
>>>> + domain_mmap_low($1)
>>>> domain_unconfined($1)
>>>> domain_dontaudit_read_all_domains_state($1)
>>>> domain_dontaudit_ptrace_all_domains($1)
>>>
>>
>> Yes. The problem is not adding it, proves to be useless. Since an
>> unconfined domain can do
>>
>> Download mmap_zero_breakin /tmp/
>> chcon -t wine_exec_t /tmp/mmap_zero_breakin
>> /tmp/mmap_zero_breakin
>>
>> Removing this line will just cause AVC's from random wine apps and add
>> no security.
>
> Thats true, assuming any of the 3 domains that have the permission are
> in the policy. However, it's legitimate uses are so uncommon that I'm
> not willing to add it to unconfined. As for wine, if I recall
> correctly, you told me wine only needs it for 16bit DOS apps, so random
> wine apps hitting this seems unlikely.
>
Every wine app complains about it, but it seems lots work without it.
Well as well as wine apps work, after fighting with itunes for my son
the other night, I remember why I hate wine...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyBHWUACgkQrlYvE4MpobNGwQCg4Zv6XZzU7xpLVQyLmEIAdWhY
FZwAoIS/3/RZNuCnQ9VDJv1nm/yzZxBp
=m+Bx
-----END PGP SIGNATURE-----