diff --git a/policy/global_tunables b/policy/global_tunables index cf3a77b..56af226 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -103,10 +103,3 @@ gen_tunable(user_tcp_server,false) ## gen_tunable(allow_console_login,false) -## -##

-## Allow certain domains to map low memory in the kernel -##

-##
-gen_tunable(mmap_low_allowed, false) - diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te index 2102bba..2758c8f 100644 --- a/policy/modules/admin/vbetool.te +++ b/policy/modules/admin/vbetool.te @@ -31,10 +31,7 @@ dev_rw_sysfs(vbetool_t) dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) -domain_mmap_low_type(vbetool_t) -tunable_policy(`mmap_low_allowed',` - allow vbetool_t self:memprotect mmap_zero; -') +domain_mmap_low(vbetool_t) mls_file_read_all_levels(vbetool_t) mls_file_write_all_levels(vbetool_t) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index f5a9673..e10101a 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -107,10 +107,7 @@ template(`wine_role_template',` userdom_unpriv_usertype($1, $1_wine_t) userdom_manage_tmpfs_role($2, $1_wine_t) - domain_mmap_low_type($1_wine_t) - tunable_policy(`mmap_low_allowed',` - allow $1_wine_t self:memprotect mmap_zero; - ') + domain_mmap_low($1_wine_t) tunable_policy(`wine_mmap_zero_ignore',` dontaudit $1_wine_t self:memprotect mmap_zero; diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 51e65e7..40cbebb 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -44,10 +44,7 @@ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) -domain_mmap_low_type(wine_t) -tunable_policy(`mmap_low_allowed',` - allow wine_t self:memprotect mmap_zero; -') +domain_mmap_low(wine_t) tunable_policy(`wine_mmap_zero_ignore',` dontaudit wine_t self:memprotect mmap_zero; ') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index b3da05d..c6e8ffe 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -51,10 +51,6 @@ interface(`unconfined_domain_noaudit',` ubac_process_exempt($1) - tunable_policy(`mmap_low_allowed',` - allow $1 self:memprotect mmap_zero; - ') - tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; @@ -68,8 +64,8 @@ interface(`unconfined_domain_noaudit',` tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect; - # execstack implies execmem; Bugzilla #211271 - allow $1 self:process { execmem execstack }; + # execstack implies execmem; + allow $1 self:process { execstack execmem }; # auditallow $1 self:process execstack; ')