Re: Question about "exec-shield"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 20, 2013 at 12:48 PM, Maurizio Pagani Gmail <pag.maurizio@xxxxxxxxx> wrote:

Hi there,

 

I’ve a question about “exec-shield”, pratically, in some servers SELinux it’s Disabled, but I see that “exec-shield” is enabled:

 

******************************************

[root@app12trnr TSCM]# sysctl -a|grep -i exec

kernel.exec-shield = 1

[root@app12trnr TSCM]# sestatus

SELinux status:                 disabled

******************************************

 

-          Now, the question is: also if SELinux is Disabled, the exec-shield works normally? And if the answer is “yes”, with wich criteria the exec-shield block an application to write on memory?

-          Because I think that only SELinux can manage “exec-shield” for decide with wich criteria can block something to write on memory. Because I saw that there is “process object class” with some permissions that specify proper “execheap, execstack, and go on”  for manage “allow/deny”.


IMHO, not so. SELinux supplements Exec Shield by providing policy control over mmap/mprotect with PROT_EXEC, enabling one to control the ability to make executable
mappings that are writable.

http://people.redhat.com/drepper/nonselsec.pdf 
http://people.redhat.com/drepper/selinux-mem.html 

Here another good explanation http://www.redhat.com/archives/fedora-selinux-list/2005-December/msg00062.html

 

I hope I was clear with the question.

Thanks in advance,

 

Maurizio Pagani

 

 

 

 


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux