On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote: > Hi, > > just checked to freshly installed Fedora 12 machines, and found > allow_execmem --> on > allow_execstack --> on > Is there a reason for this, as the comment in semanage strongly > discourages it? Or did I install a package that switches those booleans? I am not sure about the official reason but i think it is true that atleast execmem by unconfined_t is allowed by default. If you so desire you can switch it off. Personally i can imagine why these permissions are allowed by default for unconfined_t. unconfined_t is designed to be unconfined, thus in that theory execmem, execmod. execstack and execheap would be allowed by unrestricted processes. If you want to protect/restrict user processes, than consider defaulting to restricted user domains instead of unrestricted user domains. (just a general advise) > > Klaus > > -- > ------------------------------------------------------------------------ > Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ > PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1 > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpUQFMQDniQN.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list