Re: Question about "exec-shield"

yersinia <yersinia.spiros@xxxxxxxxx> · Wed, 20 Feb 2013 14:10:37 +0100

On Wed, Feb 20, 2013 at 12:48 PM, Maurizio Pagani Gmail <pag.maurizio@xxxxxxxxx> wrote:

Hi there,

I’ve a question about “exec-shield”, pratically, in some servers SELinux it’s Disabled, but I see that “exec-shield” is enabled:

******************************************
[root@app12trnr TSCM]# sysctl -a|grep -i exec
kernel.exec-shield = 1
[root@app12trnr TSCM]# sestatus
SELinux status:                 disabled
******************************************

-          Now, the question is: also if SELinux is Disabled, the exec-shield works normally? And if the answer is “yes”, with wich criteria the exec-shield block an application to write on memory?
-          Because I think that only SELinux can manage “exec-shield” for decide with wich criteria can block something to write on memory. Because I saw that there is “process object class” with some permissions that specify proper “execheap, execstack, and go on”  for manage “allow/deny”.

IMHO, not so. SELinux supplements Exec Shield by providing policy control over mmap/mprotect with PROT_EXEC, enabling one to control the ability to make executable
mappings that are writable.

http://people.redhat.com/drepper/nonselsec.pdf 
http://people.redhat.com/drepper/selinux-mem.html 

Here another good explanation http://www.redhat.com/archives/fedora-selinux-list/2005-December/msg00062.html

I hope I was clear with the question.
Thanks in advance,

Maurizio Pagani

--

selinux mailing list

selinux@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux