Bug 511143 - selinux policy allows addr 0 mappings by default
Summary: selinux policy allows addr 0 mappings by default
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
Depends On: 444133
Blocks: 512605 CVE-2009-2695
TreeView+ depends on / blocked
Reported: 2009-07-13 21:18 UTC by Daniel Walsh
Modified: 2012-10-15 14:15 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 444133
: 512605 (view as bug list)
Last Closed: 2009-09-02 07:58:15 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:1242 normal SHIPPED_LIVE selinux-policy bug fix update 2009-09-01 08:32:34 UTC

Comment 1 Daniel Walsh 2009-07-13 21:19:55 UTC
I have a fix for this in selinux-policy-2.4.6-252.el5

Comment 10 Eugene Teo (Security Response) 2009-07-17 10:53:30 UTC
The default SELinux policy allows processes in the unconfined domains to map low memory in the kernel. We are updating the selinux-policy package to allow the user to set the allow_unconfined_mmap_low boolean, and to prevent unconfined_t from being able to map low memory in the kernel. No Relabel or Reboot required.

Comment 14 Eugene Teo (Security Response) 2009-07-22 06:38:38 UTC
mmap_min_addr on SELinux and non-SELinux systems

Confining the unconfined. Oxymoron?

Comment 15 Tomas Hoger 2009-07-22 08:07:08 UTC
Dan Walsh's blog post mentioned in the previous comment details selinux-policy part of the issue tracked via bug #512284.  As noted in the the blog, selinux-policy provides a boolean - allow_unconfined_mmap_low - which controls whether mmap_min_addr restriction is applied to the process.  This boolean, however, did not work as expected, as unconfined_t domain (default domain for logged-in unprivileged users) was always permitted to map low memory pages regardless of the boolean setting.  This problem with the boolean is being fixed and the fix will be included in future selinux-policy updates in RHEL5 and Fedora (see Dan's blog for NVRs).

Few notes specific to Red Hat Enterprise Linux 5:
Support for mmap_min_addr sysctl was not included in the GA version of RHEL5.  It was only added in kernel update in 5.2 (it first appeared upstream in 2.6.24).  selinux-policy was, to avoid breaking applications needing low memory pages mapping on upgrade from 5.1 to 5.2, configured to allow mmap_zero in unconfined domains and only disallow it in confined domains (e.g. various network facing services).  In 5.3, allow_unconfined_mmap_low boolean was added, but it's default value for targeted policy was changed to on, i.e. allowing mmap_zero in all unconfined domains by default.  This default boolean value is planned to remain unchanged in 5.4.

It should also be noted, that even with allow_unconfined_mmap_low boolean set to off, it is still possible for unconfined_t user to transition to other domain that is permitted to mmap_zero, as details in the Dan's blog post.  Upstream discussion on how to best address this issue is still ongoing.

Eric's proposed patches moving mmap_min_addr check out of security were submitted.  If they are accepted upstream, mmap_min_addr will be checked before LSM hooks are called.  Security modules will only be consulted if mmap_min_addr check has passed (e.g. when mmap_min_addr is 0), so SELinux may still be able to restrict mapping of the low pages / zero page for confined domains and permit mapping in unconfined, even when mmap_min_addr is 0.

Eric's patches with further discussion:

Updated version:

Comment 16 Tomas Hoger 2009-07-22 09:15:35 UTC
Further discussion of the proposed change:

Comment 20 Tomas Hoger 2009-08-25 09:37:48 UTC
Related knowledge base article:

Bug tracking addition of Eric's changes to perform mmap_min_addr as root-based check instead of SELinux policy only based check - bug #517830.

Comment 21 errata-xmlrpc 2009-09-02 07:58:15 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.