From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 03 Sep 2010 11:14:36 -0400 Subject: [refpolicy] [mmap zero conditional for unconfined patch ] 1/1] Allow unconfined domains to mmap low conditionally. In-Reply-To: <4C810C9E.8080201@redhat.com> References: <20100901155432.GA22316@localhost.localdomain> <4C810BE4.8070403@tresys.com> <4C810C9E.8080201@redhat.com> Message-ID: <4C8110DC.3010203@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/03/10 10:56, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/03/2010 10:53 AM, Christopher J. PeBenito wrote: >> On 09/01/10 11:54, Dominick Grift wrote: >>> Allow unconfined domains to mmap low conditionally. >> >> I'm very concerned about adding this to all unconfined domains, even if >> its conditional. >> >> Is this from the Fedora policy? >> >>> Signed-off-by: Dominick Grift >>> --- >>> :100644 100644 416e668... a1bfac5... M policy/modules/system/unconfined.if >>> policy/modules/system/unconfined.if | 1 + >>> 1 files changed, 1 insertions(+), 0 deletions(-) >>> >>> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if >>> index 416e668..a1bfac5 100644 >>> --- a/policy/modules/system/unconfined.if >>> +++ b/policy/modules/system/unconfined.if >>> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',` >>> kernel_unconfined($1) >>> corenet_unconfined($1) >>> dev_unconfined($1) >>> + domain_mmap_low($1) >>> domain_unconfined($1) >>> domain_dontaudit_read_all_domains_state($1) >>> domain_dontaudit_ptrace_all_domains($1) >> > > Yes. The problem is not adding it, proves to be useless. Since an > unconfined domain can do > > Download mmap_zero_breakin /tmp/ > chcon -t wine_exec_t /tmp/mmap_zero_breakin > /tmp/mmap_zero_breakin > > Removing this line will just cause AVC's from random wine apps and add > no security. Thats true, assuming any of the 3 domains that have the permission are in the policy. However, it's legitimate uses are so uncommon that I'm not willing to add it to unconfined. As for wine, if I recall correctly, you told me wine only needs it for 16bit DOS apps, so random wine apps hitting this seems unlikely. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com