From: dwalsh@redhat.com (Daniel J Walsh)
Date: Fri, 03 Sep 2010 10:56:30 -0400
Subject: [refpolicy] [mmap zero conditional for unconfined patch ] 1/1]
 Allow unconfined domains to mmap low conditionally.
In-Reply-To: <4C810BE4.8070403@tresys.com>
References: <20100901155432.GA22316@localhost.localdomain>
	<4C810BE4.8070403@tresys.com>
Message-ID: <4C810C9E.8080201@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/03/2010 10:53 AM, Christopher J. PeBenito wrote:
> On 09/01/10 11:54, Dominick Grift wrote:
>> Allow unconfined domains to mmap low conditionally.
> 
> I'm very concerned about adding this to all unconfined domains, even if 
> its conditional.
> 
> Is this from the Fedora policy?
> 
>> Signed-off-by: Dominick Grift<domg472@gmail.com>
>> ---
>> :100644 100644 416e668... a1bfac5... M	policy/modules/system/unconfined.if
>>   policy/modules/system/unconfined.if |    1 +
>>   1 files changed, 1 insertions(+), 0 deletions(-)
>>
>> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
>> index 416e668..a1bfac5 100644
>> --- a/policy/modules/system/unconfined.if
>> +++ b/policy/modules/system/unconfined.if
>> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',`
>>   	kernel_unconfined($1)
>>   	corenet_unconfined($1)
>>   	dev_unconfined($1)
>> +	domain_mmap_low($1)
>>   	domain_unconfined($1)
>>   	domain_dontaudit_read_all_domains_state($1)
>>   	domain_dontaudit_ptrace_all_domains($1)
> 

Yes.  The problem is not adding it, proves to be useless.  Since an
unconfined domain can do

Download mmap_zero_breakin /tmp/
chcon -t wine_exec_t /tmp/mmap_zero_breakin
/tmp/mmap_zero_breakin

Removing this line will just cause AVC's from random wine apps and add
no security.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyBDJ4ACgkQrlYvE4MpobPSBwCfXPwVcpNDSzXaqshzPD95Tr9J
HuYAnipz0i0ey2+08mmEcxw465ti3Z7I
=1iju
-----END PGP SIGNATURE-----