Re: allow_exec{mem,stack} default to on?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

thanks for all your answers. It's correct, if I wanted to go the secure
road, I should map all users to some (more specific) role than is the
default. Considering the situation I think I can stay with the default
rights, as they are probably layed out fine (for default use, i.e. what
I need :-) ) In the meantime, I found some boinc jobs, that need
allow_execmem. Guess I can live with that, and will come back again when
I start my first policies or refinements of some, I do have some on
target, already, so beware ;-)

Klaus

On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
> Hello Klaus,
> 
> Personally I'd suggest turning off exec (mem, heap, stack); mapping
> your user role to staff_u and then disallowing unconfined logins;
> turning on secure_mode and secure_mode_policyload.  setsebool -P
> <name_of_boolean> <value> should take care of that last from single
> user mode.
> 
> ---------- Forwarded message ----------
> From: Dominick Grift <domg472@xxxxxxxxx>
> Date: Sun, Dec 27, 2009 at 12:24 PM
> Subject: Re: allow_exec{mem,stack} default to on?
> To: fedora-selinux-list@xxxxxxxxxx
> 
> 
> On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
> 
> > Hi,
> >
> > just checked to freshly installed Fedora 12 machines, and found
> >       allow_execmem --> on
> >       allow_execstack --> on
> > Is there a reason for this, as the comment in semanage strongly
> > discourages it? Or did I install a package that switches those
> booleans?
> 
> 
> By default SELinux is pretty permissive (much is allowed). However you
> can very much tighten the configuration.
> 
...
> 
> map all your Linux logins to confined SELinux users
> disable the unconfined module
> lock-down your booleans
> ...and much more...


-- 
------------------------------------------------------------------------ 
 Klaus Lichtenwalder, Dipl. Inform.,  http://lklaus.homelinux.org/Klaus/
 PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B  9C62 DB6D 1258 0E9B B6D1

Attachment: signature.asc
Description: This is a digitally signed message part

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux