allow_exec{mem,stack} default to on?

[Ryan Gandy <mica1884@xxxxxxxxx>]

Hello Klaus,

Personally I'd suggest turning off exec (mem, heap, stack); mapping your user role to staff_u and then disallowing unconfined logins; turning on secure_mode and secure_mode_policyload.  setsebool -P <name_of_boolean> <value> should take care of that last from single user mode.

---------- Forwarded message ----------
From: Dominick Grift <domg472@xxxxxxxxx>
Date: Sun, Dec 27, 2009 at 12:24 PM
Subject: Re: allow_exec{mem,stack} default to on?
To: fedora-selinux-list@xxxxxxxxxx

On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:

> Hi,
>
> just checked to freshly installed Fedora 12 machines, and found
>       allow_execmem --> on
>       allow_execstack --> on
> Is there a reason for this, as the comment in semanage strongly
> discourages it? Or did I install a package that switches those booleans?

By default SELinux is pretty permissive (much is allowed). However you can very much tighten the configuration.

A few things to do:

map all your Linux logins to confined SELinux users
disable the unconfined module
lock-down your booleans
...and much more...

>
> Klaus
>
> --
> ------------------------------------------------------------------------
>  Klaus Lichtenwalder, Dipl. Inform.,  http://lklaus.homelinux.org/Klaus/
>  PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B  9C62 DB6D 1258 0E9B B6D1
>

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Attachment: pgpfIHZz2TjZY.pgp
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list