On Fri, 2008-09-05 at 09:49 -0400, Daniel J Walsh wrote: > Murray McAllister wrote: > > Daniel J Walsh wrote: > > Murray McAllister wrote: > >>>> Hi, > >>>> > >>>> The following is a draft of the "Targeted Policy" sections for the > >>>> SELinux User Guide. Any comments and corrections are appreciated. > >>>> > >>>> Thanks. > >>>> > >>>> Targeted Policy > >>>> > >>>> Targeted policy is the default SELinux policy used in Fedora 10. When > >>>> using targeted policy, subjects that are targeted run in their own > >>>> domain type, and subjects that are not targeted run in the unconfined_t > > confined domain, and subjects that are not targeted run in an unconfined > > domain, For example logged in users by default log in as unconfined_t > > while system processes started by init run in initrc_t. Both of these > > domains are unconfined. > > > > NOTE: > > > > Even unconfined domains are subject to executable/writable memory > > checks. execmem, execstack, execheap. By default processes run as an > > unconfined domain can not allocate writeable memory and execute it. > > This is a common attack vector call buffer overflow attacks. Some > > applications require this type of access (java, wine, mono and a few > > others). > > > >> Does this mean applications running in a Java Virtual Machine, and in Wine? > > > >> I'll change my response below based on the answer to this. > Yes > > > >> These applications need to be labeled correctly to allow the > > access. There are booleans that can turn off this protection for the > > unconfined user unconfined_t. allow_execmem, allow_execstack, > > allow_execheap. > > > > You can turn the booleans on using setsebool > > > > setsebool -P allow_execmem 1 > > > >> I will use these examples later on. > > > > And then there is text relocation http://people.redhat.com/drepper/textrelocs.html http://people.redhat.com/drepper/selinux-mem.html /usr/sbin/semanage fcontext -l | grep execmem /usr/sbin/semanage fcontext -l | grep textrel > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. -- Dominick Grift <domg472@xxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
