Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh: > allow_execmem was on by default in F12 and allow_execstack has been > turned on by default in newer policies, although this will only happen > on fresh installs with the new policy. Updates NEVER change boolean > settings. I did an install with the netintall CD, so kind of fresh install with the new policy > > I would advise people who know what they are doing to turn off this > booleans, but turning them on by default inflicts too much pain. > > allow_execmod and allow_execheap are off by default. > > These booleans only effect unconfined domains. So evey confined > domain will enforce the execmem and execstack access control > regardless of their settings. At the moment I have allow_execheap --> off allow_execmem --> on allow_execmod --> off allow_execstack --> off As the boinc_client needs execmem. Guess I'll file a bug with them, as I'm more comfortable with this off... Which brings me to the point, I should check whether the *service* boinc (which I don't use) is running unconfined... Interestingly I have another application, for homebanking, that's throwing the famous mmap_zero violation. Which I still don't allow and the application doesn't care... Probably lot's of bugs in their code and code pathes that aren't too important :-) Klaus -- ------------------------------------------------------------------------ Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
