From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 03 Sep 2010 12:08:05 -0400 Subject: [refpolicy] [mmap zero conditional for unconfined patch ] 1/1] Allow unconfined domains to mmap low conditionally. In-Reply-To: <4C8110DC.3010203@tresys.com> References: <20100901155432.GA22316@localhost.localdomain> <4C810BE4.8070403@tresys.com> <4C810C9E.8080201@redhat.com> <4C8110DC.3010203@tresys.com> Message-ID: <4C811D65.6080701@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/03/2010 11:14 AM, Christopher J. PeBenito wrote: > On 09/03/10 10:56, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 09/03/2010 10:53 AM, Christopher J. PeBenito wrote: >>> On 09/01/10 11:54, Dominick Grift wrote: >>>> Allow unconfined domains to mmap low conditionally. >>> >>> I'm very concerned about adding this to all unconfined domains, even if >>> its conditional. >>> >>> Is this from the Fedora policy? >>> >>>> Signed-off-by: Dominick Grift >>>> --- >>>> :100644 100644 416e668... a1bfac5... M >>>> policy/modules/system/unconfined.if >>>> policy/modules/system/unconfined.if | 1 + >>>> 1 files changed, 1 insertions(+), 0 deletions(-) >>>> >>>> diff --git a/policy/modules/system/unconfined.if >>>> b/policy/modules/system/unconfined.if >>>> index 416e668..a1bfac5 100644 >>>> --- a/policy/modules/system/unconfined.if >>>> +++ b/policy/modules/system/unconfined.if >>>> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',` >>>> kernel_unconfined($1) >>>> corenet_unconfined($1) >>>> dev_unconfined($1) >>>> + domain_mmap_low($1) >>>> domain_unconfined($1) >>>> domain_dontaudit_read_all_domains_state($1) >>>> domain_dontaudit_ptrace_all_domains($1) >>> >> >> Yes. The problem is not adding it, proves to be useless. Since an >> unconfined domain can do >> >> Download mmap_zero_breakin /tmp/ >> chcon -t wine_exec_t /tmp/mmap_zero_breakin >> /tmp/mmap_zero_breakin >> >> Removing this line will just cause AVC's from random wine apps and add >> no security. > > Thats true, assuming any of the 3 domains that have the permission are > in the policy. However, it's legitimate uses are so uncommon that I'm > not willing to add it to unconfined. As for wine, if I recall > correctly, you told me wine only needs it for 16bit DOS apps, so random > wine apps hitting this seems unlikely. > Every wine app complains about it, but it seems lots work without it. Well as well as wine apps work, after fighting with itunes for my son the other night, I remember why I hate wine... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyBHWUACgkQrlYvE4MpobNGwQCg4Zv6XZzU7xpLVQyLmEIAdWhY FZwAoIS/3/RZNuCnQ9VDJv1nm/yzZxBp =m+Bx -----END PGP SIGNATURE-----