* [refpolicy] [mmap zero conditional for unconfined patch ] 1/1] Allow unconfined domains to mmap low conditionally. @ 2010-09-01 15:54 Dominick Grift 2010-09-03 14:53 ` Christopher J. PeBenito 0 siblings, 1 reply; 5+ messages in thread From: Dominick Grift @ 2010-09-01 15:54 UTC (permalink / raw) To: refpolicy Allow unconfined domains to mmap low conditionally. Signed-off-by: Dominick Grift <domg472@gmail.com> --- :100644 100644 416e668... a1bfac5... M policy/modules/system/unconfined.if policy/modules/system/unconfined.if | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 416e668..a1bfac5 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',` kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) + domain_mmap_low($1) domain_unconfined($1) domain_dontaudit_read_all_domains_state($1) domain_dontaudit_ptrace_all_domains($1) -- 1.7.2.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100901/67528464/attachment.bin ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [mmap zero conditional for unconfined patch ] 1/1] Allow unconfined domains to mmap low conditionally. 2010-09-01 15:54 [refpolicy] [mmap zero conditional for unconfined patch ] 1/1] Allow unconfined domains to mmap low conditionally Dominick Grift @ 2010-09-03 14:53 ` Christopher J. PeBenito 2010-09-03 14:56 ` Daniel J Walsh 0 siblings, 1 reply; 5+ messages in thread From: Christopher J. PeBenito @ 2010-09-03 14:53 UTC (permalink / raw) To: refpolicy On 09/01/10 11:54, Dominick Grift wrote: > Allow unconfined domains to mmap low conditionally. I'm very concerned about adding this to all unconfined domains, even if its conditional. Is this from the Fedora policy? > Signed-off-by: Dominick Grift<domg472@gmail.com> > --- > :100644 100644 416e668... a1bfac5... M policy/modules/system/unconfined.if > policy/modules/system/unconfined.if | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if > index 416e668..a1bfac5 100644 > --- a/policy/modules/system/unconfined.if > +++ b/policy/modules/system/unconfined.if > @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',` > kernel_unconfined($1) > corenet_unconfined($1) > dev_unconfined($1) > + domain_mmap_low($1) > domain_unconfined($1) > domain_dontaudit_read_all_domains_state($1) > domain_dontaudit_ptrace_all_domains($1) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [mmap zero conditional for unconfined patch ] 1/1] Allow unconfined domains to mmap low conditionally. 2010-09-03 14:53 ` Christopher J. PeBenito @ 2010-09-03 14:56 ` Daniel J Walsh 2010-09-03 15:14 ` Christopher J. PeBenito 0 siblings, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2010-09-03 14:56 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/03/2010 10:53 AM, Christopher J. PeBenito wrote: > On 09/01/10 11:54, Dominick Grift wrote: >> Allow unconfined domains to mmap low conditionally. > > I'm very concerned about adding this to all unconfined domains, even if > its conditional. > > Is this from the Fedora policy? > >> Signed-off-by: Dominick Grift<domg472@gmail.com> >> --- >> :100644 100644 416e668... a1bfac5... M policy/modules/system/unconfined.if >> policy/modules/system/unconfined.if | 1 + >> 1 files changed, 1 insertions(+), 0 deletions(-) >> >> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if >> index 416e668..a1bfac5 100644 >> --- a/policy/modules/system/unconfined.if >> +++ b/policy/modules/system/unconfined.if >> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',` >> kernel_unconfined($1) >> corenet_unconfined($1) >> dev_unconfined($1) >> + domain_mmap_low($1) >> domain_unconfined($1) >> domain_dontaudit_read_all_domains_state($1) >> domain_dontaudit_ptrace_all_domains($1) > Yes. The problem is not adding it, proves to be useless. Since an unconfined domain can do Download mmap_zero_breakin /tmp/ chcon -t wine_exec_t /tmp/mmap_zero_breakin /tmp/mmap_zero_breakin Removing this line will just cause AVC's from random wine apps and add no security. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyBDJ4ACgkQrlYvE4MpobPSBwCfXPwVcpNDSzXaqshzPD95Tr9J HuYAnipz0i0ey2+08mmEcxw465ti3Z7I =1iju -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [mmap zero conditional for unconfined patch ] 1/1] Allow unconfined domains to mmap low conditionally. 2010-09-03 14:56 ` Daniel J Walsh @ 2010-09-03 15:14 ` Christopher J. PeBenito 2010-09-03 16:08 ` Daniel J Walsh 0 siblings, 1 reply; 5+ messages in thread From: Christopher J. PeBenito @ 2010-09-03 15:14 UTC (permalink / raw) To: refpolicy On 09/03/10 10:56, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/03/2010 10:53 AM, Christopher J. PeBenito wrote: >> On 09/01/10 11:54, Dominick Grift wrote: >>> Allow unconfined domains to mmap low conditionally. >> >> I'm very concerned about adding this to all unconfined domains, even if >> its conditional. >> >> Is this from the Fedora policy? >> >>> Signed-off-by: Dominick Grift<domg472@gmail.com> >>> --- >>> :100644 100644 416e668... a1bfac5... M policy/modules/system/unconfined.if >>> policy/modules/system/unconfined.if | 1 + >>> 1 files changed, 1 insertions(+), 0 deletions(-) >>> >>> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if >>> index 416e668..a1bfac5 100644 >>> --- a/policy/modules/system/unconfined.if >>> +++ b/policy/modules/system/unconfined.if >>> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',` >>> kernel_unconfined($1) >>> corenet_unconfined($1) >>> dev_unconfined($1) >>> + domain_mmap_low($1) >>> domain_unconfined($1) >>> domain_dontaudit_read_all_domains_state($1) >>> domain_dontaudit_ptrace_all_domains($1) >> > > Yes. The problem is not adding it, proves to be useless. Since an > unconfined domain can do > > Download mmap_zero_breakin /tmp/ > chcon -t wine_exec_t /tmp/mmap_zero_breakin > /tmp/mmap_zero_breakin > > Removing this line will just cause AVC's from random wine apps and add > no security. Thats true, assuming any of the 3 domains that have the permission are in the policy. However, it's legitimate uses are so uncommon that I'm not willing to add it to unconfined. As for wine, if I recall correctly, you told me wine only needs it for 16bit DOS apps, so random wine apps hitting this seems unlikely. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [mmap zero conditional for unconfined patch ] 1/1] Allow unconfined domains to mmap low conditionally. 2010-09-03 15:14 ` Christopher J. PeBenito @ 2010-09-03 16:08 ` Daniel J Walsh 0 siblings, 0 replies; 5+ messages in thread From: Daniel J Walsh @ 2010-09-03 16:08 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/03/2010 11:14 AM, Christopher J. PeBenito wrote: > On 09/03/10 10:56, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 09/03/2010 10:53 AM, Christopher J. PeBenito wrote: >>> On 09/01/10 11:54, Dominick Grift wrote: >>>> Allow unconfined domains to mmap low conditionally. >>> >>> I'm very concerned about adding this to all unconfined domains, even if >>> its conditional. >>> >>> Is this from the Fedora policy? >>> >>>> Signed-off-by: Dominick Grift<domg472@gmail.com> >>>> --- >>>> :100644 100644 416e668... a1bfac5... M >>>> policy/modules/system/unconfined.if >>>> policy/modules/system/unconfined.if | 1 + >>>> 1 files changed, 1 insertions(+), 0 deletions(-) >>>> >>>> diff --git a/policy/modules/system/unconfined.if >>>> b/policy/modules/system/unconfined.if >>>> index 416e668..a1bfac5 100644 >>>> --- a/policy/modules/system/unconfined.if >>>> +++ b/policy/modules/system/unconfined.if >>>> @@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',` >>>> kernel_unconfined($1) >>>> corenet_unconfined($1) >>>> dev_unconfined($1) >>>> + domain_mmap_low($1) >>>> domain_unconfined($1) >>>> domain_dontaudit_read_all_domains_state($1) >>>> domain_dontaudit_ptrace_all_domains($1) >>> >> >> Yes. The problem is not adding it, proves to be useless. Since an >> unconfined domain can do >> >> Download mmap_zero_breakin /tmp/ >> chcon -t wine_exec_t /tmp/mmap_zero_breakin >> /tmp/mmap_zero_breakin >> >> Removing this line will just cause AVC's from random wine apps and add >> no security. > > Thats true, assuming any of the 3 domains that have the permission are > in the policy. However, it's legitimate uses are so uncommon that I'm > not willing to add it to unconfined. As for wine, if I recall > correctly, you told me wine only needs it for 16bit DOS apps, so random > wine apps hitting this seems unlikely. > Every wine app complains about it, but it seems lots work without it. Well as well as wine apps work, after fighting with itunes for my son the other night, I remember why I hate wine... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyBHWUACgkQrlYvE4MpobNGwQCg4Zv6XZzU7xpLVQyLmEIAdWhY FZwAoIS/3/RZNuCnQ9VDJv1nm/yzZxBp =m+Bx -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-09-03 16:08 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-09-01 15:54 [refpolicy] [mmap zero conditional for unconfined patch ] 1/1] Allow unconfined domains to mmap low conditionally Dominick Grift 2010-09-03 14:53 ` Christopher J. PeBenito 2010-09-03 14:56 ` Daniel J Walsh 2010-09-03 15:14 ` Christopher J. PeBenito 2010-09-03 16:08 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.