On Sat, 2011-06-18 at 22:47 +0200, Göran Uddeborg wrote: > But both of these systems are x86_64 systems. Strange, as i never noticed this issues on any of my x86_64 systems > More exactly, why doesn't x86_64 need execmem? Firefox does > apparently allocate memory that is both executable and writeable on > x86_64 systems too. Do not know, i was under the impressions that it did not need it. > > you can also set boolean allow_execmem to true i believe > > Yes, that makes firefox runnable again. But if possible I would > prefer to have it turned off. And it does work with it turned off on > the fresh install, so I guess there is some way to do it. It is possible to silently deny this access but there are issue to take into account probably. Basically much of firefox gets run in the calling user domain "on behalf of the user". Many other applications get run in the calling user domain as well. So if you would use "semodule -D .." to add a "dontaudit" rule to the policy database ( a rule that says deny this but do not audit the denial ) then you would potentially silently block other programs from executing writable memory as well. So you might get into a situation where some app refuses to run and you would not find any traces of it in audit.log wrt to selinux blocking it access to execmem.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux