On 12/30/2009 09:52 AM, Klaus Lichtenwalder wrote: > Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh: > >> allow_execmem was on by default in F12 and allow_execstack has been >> turned on by default in newer policies, although this will only happen >> on fresh installs with the new policy. Updates NEVER change boolean >> settings. > > I did an install with the netintall CD, so kind of fresh install with > the new policy >> >> I would advise people who know what they are doing to turn off this >> booleans, but turning them on by default inflicts too much pain. >> >> allow_execmod and allow_execheap are off by default. >> >> These booleans only effect unconfined domains. So evey confined >> domain will enforce the execmem and execstack access control >> regardless of their settings. > > At the moment I have > allow_execheap --> off > allow_execmem --> on > allow_execmod --> off > allow_execstack --> off > > As the boinc_client needs execmem. Guess I'll file a bug with them, as > I'm more comfortable with this off... > > Which brings me to the point, I should check whether the *service* boinc > (which I don't use) is running unconfined... > > Interestingly I have another application, for homebanking, that's > throwing the famous mmap_zero violation. Which I still don't allow and > the application doesn't care... Probably lot's of bugs in their code and > code pathes that aren't too important :-) > Is this a wine application? Wine seems to throw this error even though it only needs it for very old DOS type apps. > Klaus > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
