> On Friday 11 August 2006 16:29, Andrew Haley wrote: > > No. It requires execmem because it really needs it. > > Then it really needs to be fixed. We're trying to ship with disallowing > execmem because its the right thing to do. It sure isn't the "targeted" thing to do. I haven't heard the rationale for *any* SELinux checks on the "unconfined" world. I know well the rationale for why no program should want to do that, blah blah blah. No program should want to make world-writable files either, but they can. I just don't comprehend how the "targeted policy" includes any constraints on what an "untargeted" process can do to itself. I'm all for good support for strict policy in applications, including finding the best ways for JIT-using applications to be marked appropriately without requiring constant hassle for each application's developer or packager. But that is neither here nor there (well maybe it's there, but it's not here). The whole idea of the "targeted" policy is that it won't break your stuff that worked without SELinux. It only affects particular applications and files that are in the "targeted" list. If it weren't an important requirement that people's existing, unlabeled applications of all sorts keep working without new SELinux-specific effort, then everyone would be happy to use a strict policy. Thanks, Roland -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
