[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Please disable the SELinux execstack/relro checks before FC5 final



On Fri, 2006-02-17 at 11:42 +0100, Arjan van de Ven wrote:
> Hi,
> 
> I'm hereby asking to disable/remove the SELinux execstack/relro checks
> before FC5 ships. The current state of affairs will only lead to people
> using big-hammer approaches in disabling selinux or big chunks thereof
> (based on "solutions" they find with google), which is worse than not
> having this protection in the first place.
> 
> The technology is not finished yet. What I can imagine being useful is:
> 1) having the security config tool do a scan for libs/binaries that are
> not labeled correctly yet and present a dialog to add permissions,
> including an explanation of what the consequences are
> 2) a dbus message on failure so that the desktop can pop up a "<this
> application> tried to use <this insecure library> which is most likely a
> security risk. In case you downloaded this plugin deliberately, make
> sure you want this" or something
> 
> As it is right now, it's just one more thing people will just disable
> and hate selinux more for.  

Can you clarify exactly what you want here?  I assume you mean just
allow-by-default, i.e. just enable booleans in the policy by default to
allow these permissions while still giving people the option to disable
them if they wish.  And what exact permissions are in view here:
- execstack obviously
- execheap?
- execmod?  If so, to all file types under one boolean setting, and only
to texrel_shlib_t under the opposite setting?
- execmem?  

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]