On Fri, 2005-01-28 at 13:35, Stephen Smalley wrote: > We should also wrap occurrences of execmem with a boolean, but a > separate one than the execmod rules. Might also want multiple booleans, > e.g. to allow certain programs without allowing all others. Note: An allow_execmem boolean has been introduced into the latest upstream policy, so I expect it will show up in future Fedora policies. Hence, you may need to enable this boolean, e.g. to allow X to continue to run. In the future, I think we will want multiple such booleans so that we can allow certain domains (like X) to have this permission while prohibiting others (like user domains). -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
