Re: allow_exec{mem,stack} default to on?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
> Hi,
> 
> just checked to freshly installed Fedora 12 machines, and found
> 	allow_execmem --> on
> 	allow_execstack --> on
> Is there a reason for this, as the comment in semanage strongly
> discourages it? Or did I install a package that switches those booleans?
I am not sure about the  official reason but i think it is true that atleast execmem by unconfined_t is allowed by default.
If you so desire you can switch it off.

Personally i can imagine why these permissions are allowed by default for unconfined_t. unconfined_t is designed to be unconfined, thus in that theory execmem, execmod. execstack and execheap would be allowed by unrestricted processes.

If you want to protect/restrict user processes, than consider defaulting to restricted user domains instead of unrestricted user domains. (just a general advise)

> 
> Klaus
> 
> -- 
> ------------------------------------------------------------------------ 
>  Klaus Lichtenwalder, Dipl. Inform.,  http://lklaus.homelinux.org/Klaus/
>  PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B  9C62 DB6D 1258 0E9B B6D1
> 



> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Attachment: pgpUQFMQDniQN.pgp
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux