512605 – selinux policy allows addr 0 mappings by default

Bug 512605 - selinux policy allows addr 0 mappings by default

Summary: selinux policy allows addr 0 mappings by default

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	511143
Blocks:
TreeView+	depends on / blocked

Reported:	2009-07-19 19:18 UTC by Rahul Sundaram
Modified:	2013-03-13 05:45 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:	511143
Environment:
Last Closed:	2009-07-20 20:38:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Rahul Sundaram 2009-07-19 19:18:08 UTC

+++ This bug was initially created as a clone of Bug #511143 +++

I have a fix for this in selinux-policy-2.4.6-252.el5

--- Additional comment from eteo on 2009-07-17 06:53:30 EDT ---

The default SELinux policy allows processes in the unconfined domains to map low memory in the kernel. We are updating the selinux-policy package to allow the user to set the allow_unconfined_mmap_low boolean, and to prevent unconfined_t from being able to map low memory in the kernel. No Relabel or Reboot required.

Comment 1 Daniel Walsh 2009-07-20 20:38:43 UTC

Fixed in selinux-policy-3.6.22-2.fc12

Comment 2 Rahul Sundaram 2009-07-20 20:50:18 UTC

Dan,

I think you should push the policy update to Fedora 11 and Fedora 10 as well.

Comment 3 Daniel Walsh 2009-07-21 01:22:49 UTC

Miroslav is preparing updates for F10 and F11.

Note You need to log in before you can comment on or make changes to this bug.