[DSE-Dev] looking for help testing selinux/kernel security fix
dann frazier
dannf at debian.org
Tue Oct 20 21:42:53 UTC 2009
We have a new kernel security update in preparation which includes the
following fix:
* selinux: prevent local users from bypassing mmap_min_addr
in unconfined domains (CVE-2009-2695)
These fixes are pretty well described here and in the blog entries it
references:
http://kbase.redhat.com/faq/docs/DOC-18042
Is there someone on this list who can test this kernel in an SELinux
environment for me? Builds for most architectures are available here:
http://kernel.debian.net/debian lenny-proposed-security updates main
Sorry, this archive is not signed - but these files are hosted on
alioth if you'd rather scp.
A good test would be to bump /proc/sys/vm/mmap_min_addr to 4096 and
try and start dosemu as an unconfined user (this should fail), and to
verify that it does work if mmap_min_addr is 0 (the current
default). I'm an SELinux novice, so there maybe other useful tests you
can think up.
--
dann frazier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20091020/26c07489/attachment.pgp>
More information about the SELinux-devel
mailing list