Kamil wrote:
Hello everybody
Forgive me, if this subject has already been mentioned here, but I
simply couldn't find answer anywhere.
Few days ago I started system-config-securitylevel. I found something
interesting in "Modify SELinux policies". A memory protection - there
are four options in there. Two of them are enabled, with a description
that if having this enabled is required by some program, it should be
reported to bugzilla. I didn't do it, because of very strange effects
after turning it off.
Disabling
"Allow all executable files to map memory areas as executable and
readable, which is dangerous and such program should be reported to
bugzilla"
and
"Allow all executable files to mark stack as executable.That shouldn't
ever be required"
option(translation from polish) made system act very strange. First
thing I've observed was that Kobo game stopped working. GMPC stopped
playing. Also stuff outside of Fedora like Java and NVidia drivers
failed. So I should have "reported to bugzilla" to many application to
make it have any sense. Such bug report would be only annoying but
according to system-config-securitylevel...
Java Applications can be labeled java_exec_t (chcon -t java_exec_t
PATHTOAPP) Please tell me the path of these apps, so I can set them to
default. Which will allow them to have this priv. NVidia should be
told to fix their drivers. (Or open source them, their choice :^))
These memory checks are described here
SELinux Memory Protection Tests
<http://people.redhat.com/%7Edrepper/selinux-mem.html>
The goal is to move towards, eliminating Writable/Executable memory to
help protect systems.
For now if you can run with these checked off, you are more secure. We
realize that lots of apps are either broken or not labeled correctly.
So we need to get the app vendors to fix their apps and to fix the
labeling when it is wrong in SELinux.
What is it with these two options? To make everything work properly they
should be enabled, but their description that they should be disabled is
confusing.
Thank you and forgive me any mess I've done by this post
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list