<snip>
o httpd_execmem
tunable_policy(`httpd_execmem',`
allow httpd_t self:process { execmem execstack };
allow httpd_sys_script_t self:process { execmem execstack };
allow httpd_suexec_t self:process { execmem execstack };
')
Note that is also allows execstack.
Note that it allows it also for httpd_sys_script_t
Note that it *does not* allow it for httpd_user_script_t ( or any other
templated httpd script)
I think here he is looking to understand what exactly execmem allows. My
understanding is that it allows memory to be both writeable and
executable which is a no no but often required because of some
questionable programming practices. Please correct me if I am wrong but
if the above is correct then this allows the webserver to make memory
both writeable and executable, something that should be avoided.
Yes correct. Turning on this boolean will allow apache to execute
programs that require writable/executable memory. Java/Mono type apps
could require this, but it should seldom be set. Turning this on
eliminates some level of buffer overflow protection.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
