For people running wine or Crossover and using MS Office 2003 and related codes
it is necessary to do:
# setsebool -P allow_unconfined_mmap_low 1
To prevent AVC denials.

However there is recent publicity at
http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
which highlights that there is still a vulnerability in the kernel if this is
set.

For people running f11 with this boolean set how can one run wine and still
remain secure? i.e. what should an admin do to protect the system?

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tue, 2009-11-03 at 21:31 +0000, Mike Cloaked wrote:
> For people running wine or Crossover and using MS Office 2003 and related codes
> it is necessary to do:
> # setsebool -P allow_unconfined_mmap_low 1
> To prevent AVC denials.
>
> However there is recent publicity at
> http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
> which highlights that there is still a vulnerability in the kernel if this is
> set.
>
> For people running f11 with this boolean set how can one run wine and still
> remain secure? i.e. what should an admin do to protect the system?

You can't.

If I'm being slightly less flip: run wine in a kvm instance with selinux
disabled, forward X to the host.

- ajax
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On 11/03/2009 04:35 PM, Adam Jackson wrote:
> On Tue, 2009-11-03 at 21:31 +0000, Mike Cloaked wrote:
>> For people running wine or Crossover and using MS Office 2003 and related codes
>> it is necessary to do:
>> # setsebool -P allow_unconfined_mmap_low 1
>> To prevent AVC denials.
>>
>> However there is recent publicity at
>> http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
>> which highlights that there is still a vulnerability in the kernel if this is
>> set.
>>
>> For people running f11 with this boolean set how can one run wine and still
>> remain secure? i.e. what should an admin do to protect the system?
>
> You can't.
>
> If I'm being slightly less flip: run wine in a kvm instance with selinux
> disabled, forward X to the host.
>
> - ajax
>

You can run with SELinux in enforcement.

mmap_low_allowed is the name of the boolean moving forward.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Mon, Nov 9, 2009 at 2:40 PM, Mike Cloaked <mike.cloaked@gmail.com> wrote:
> Eric Paris <eparis <at> redhat.com> writes:
>
>> > I have Crossover installed and not wine, and just checked:
>> > [mike <at> home1 ~]$ cat /proc/sys/vm/mmap_min_addr
>> > 65536
>> >
>> > This is an f11 box. *I also set the boolean by doing
>> > # setsebool -P allow_unconfined_mmap_low 1
>>
>> Bad news! *For maximum protection would want that bool off. *You do not
>> want to ALLOW unconfined to mmap low memory.
>>
>> -Eric
>
> Many thanks Eric - I just tried unsetting the boolean -
> # setsebool -P allow_unconfined_mmap_low 0
>
> Excel and Word 2003 still run in Crossover after resetting it without AVCs
> popping up - I will unset it in the other machines where I have this also -
> I guess selinux policy may have changed so that setting it as I did originally
> is no longer necessary.

Really? For me there is no "allow_unconfined_mmap_low" at all and I'm
definitely still getting the error with any Wine application with
mmap_low_allowed set to 0.

selinux-policy-3.6.32-41.fc12.noarch

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On 11/09/2009 03:15 PM, Justin wrote:
> On Mon, Nov 9, 2009 at 2:40 PM, Mike Cloaked <mike.cloaked@gmail.com> wrote:
>> Eric Paris <eparis <at> redhat.com> writes:
>>
>>>> I have Crossover installed and not wine, and just checked:
>>>> [mike <at> home1 ~]$ cat /proc/sys/vm/mmap_min_addr
>>>> 65536
>>>>
>>>> This is an f11 box. I also set the boolean by doing
>>>> # setsebool -P allow_unconfined_mmap_low 1
>>>
>>> Bad news! For maximum protection would want that bool off. You do not
>>> want to ALLOW unconfined to mmap low memory.
>>>
>>> -Eric
>>
>> Many thanks Eric - I just tried unsetting the boolean -
>> # setsebool -P allow_unconfined_mmap_low 0
>>
>> Excel and Word 2003 still run in Crossover after resetting it without AVCs
>> popping up - I will unset it in the other machines where I have this also -
>> I guess selinux policy may have changed so that setting it as I did originally
>> is no longer necessary.
>
> Really? For me there is no "allow_unconfined_mmap_low" at all and I'm
> definitely still getting the error with any Wine application with
> mmap_low_allowed set to 0.
>
> selinux-policy-3.6.32-41.fc12.noarch
>
The name has changed between RHEL5 - allow_unconfined_mmap_low and F12 - mmap_low_allowed

The meaning has also changed

in RHEL5

unconfined domains are allowed to mmap_low if the boolean is set. vbetool and wine are allowed whether or not the boolean is set.

In F12
No domains are allowed to mmap_low unless the boolean is set. If it is set wine, vbetool and unconfined domains are allowed to mmap_zero.

One of you is running wine in RHEL5 which is allowed to mmap_zero without the boolean. We changed this in F12 so that wine will break without the boolean set.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Daniel J Walsh <dwalsh <at> redhat.com> writes:

> > definitely still getting the error with any Wine application with
> > mmap_low_allowed set to 0.
> >
> > selinux-policy-3.6.32-41.fc12.noarch
> >
> The name has changed between RHEL5 - allow_unconfined_mmap_low
> and F12 - mmap_low_allowed
>
> The meaning has also changed
>
> in RHEL5
>
> unconfined domains are allowed to mmap_low if the boolean is set. vbetool
> and wine are allowed whether or
> not the boolean is set.
>
> In F12
> No domains are allowed to mmap_low unless the boolean is set. If it is
> set wine, vbetool and unconfined
> domains are allowed to mmap_zero.
>
> One of you is running wine in RHEL5 which is allowed to mmap_zero without
> the boolean. We changed this in F12
> so that wine will break without the boolean set.

Thank you for that clarification Dan.

By the way I entered a private ticket at the Crossover site (hence not
publicly visible), and have been told that their devs are currently
already looking at this issue to try to see if the problem can be
worked around in a new version of Crossover, which will presumably
also be made available to newer versions of wine if a solution can be found.




--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Daniel J Walsh <dwalsh <at> redhat.com> writes:


> The name has changed between RHEL5 - allow_unconfined_mmap_low and F12 -
mmap_low_allowed
>
> The meaning has also changed
>
> in RHEL5
>
> unconfined domains are allowed to mmap_low if the boolean is set. vbetool
> and wine are allowed whether or
> not the boolean is set.
>
> In F12
> No domains are allowed to mmap_low unless the boolean is set. If it is
> set wine, vbetool and unconfined
> domains are allowed to mmap_zero.
>
> One of you is running wine in RHEL5 which is allowed to mmap_zero without
> the boolean. We changed this in F12
> so that wine will break without the boolean set.

There is an interesting thing I just found - in F11 without the bool set I can
run MS Word 2003 in Crossover (i.e. effectively wine) and open a .doc file
without any AVC popping up.

However from a webmail interface opened in Firefox, and clicking on a .doc
attachment, trying to open it via an association link to Word 2003 in Crossover
immediately gives an AVC denial for wine-preloader and suggests allowing the
bool! However the file does seem to open nevertheless!!




--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list