Stephen Smalley wrote:
On Wed, 2006-01-11 at 13:56 -0600, Jason Dravet wrote:
When execstack was turned off on December 9 and execmem and execmod were
turned off on December 10 several programs broke and I opened bugzilla
issues for them. Now one of the programmers has contacted me about this,
but now the program works. I am pretty sure the program was not fixed (I
have not updated it) as suggested by
http://people.redhat.com/drepper/selinux-mem.html. I think the selinux
policy changed and allows the exec* access again. How can I turn off this
access so the program can be fixed properly?
I tried the following command: setsebool -P allow_execmem=0 allow_execmod=0
allow_execheap=0
and this is what I got:
libsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change policy booleans
I am running selinux-policy-targeted-2.1.8-3 and selinux-policy-2.1.8-3 in
enforcing mode on Fedora rawhide.
Hmm...that error message needs to be more informative - only one of
those booleans is undefined (allow_execheap - there is no boolean for
it).
I agree - unfortunately this code is polymorphed, so it is not
completely trivial to print information specific to the record type.
I'll try to improve some of this.. I guess I should add some print
functions to the record method table.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
