Memory protection and system-config-securitylevel

Daniel J Walsh dwalsh at redhat.com
Fri May 4 15:30:57 UTC 2007 

Kamil wrote:
> Hello everybody
> Forgive me, if this subject has already been mentioned here, but I
> simply couldn't find answer anywhere.
>
> Few days ago I started system-config-securitylevel. I found something
> interesting in "Modify SELinux policies". A memory protection - there
> are four options in there. Two of them are enabled, with a description
> that if having this enabled is required by some program, it should be
> reported to bugzilla. I didn't do it, because of very strange effects
> after turning it off.
>
> Disabling 
> "Allow all executable files to map memory areas as executable and
> readable, which is dangerous and such program should be reported to
> bugzilla"
> and
> "Allow all executable files to mark stack as executable.That shouldn't
> ever be required"
> option(translation from polish) made system act very strange. First
> thing I've observed was that Kobo game stopped working. GMPC stopped
> playing. Also stuff outside of Fedora like Java and NVidia drivers
> failed. So I should have "reported to bugzilla" to many application to
> make it have any sense. Such bug report would be only annoying but
> according to system-config-securitylevel...
>
>   
Java Applications can be labeled java_exec_t (chcon -t java_exec_t 
PATHTOAPP) Please tell me the path of these apps, so I can set them to 
default.  Which will allow them to have this priv.  NVidia should be 
told to fix their drivers. (Or open source them,  their choice :^))

These memory checks are described here
SELinux Memory Protection Tests 
<http://people.redhat.com/%7Edrepper/selinux-mem.html>

The goal is to move towards, eliminating Writable/Executable memory to 
help protect systems.
For now if you can run with these checked off, you are more secure.   We 
realize that lots of apps are either broken or not labeled correctly.  
So we need to get the app vendors to fix their apps and to fix the 
labeling when it is wrong in SELinux.


> What is it with these two options? To make everything work properly they
> should be enabled, but their description that they should be disabled is
> confusing.
>
> Thank you and forgive me any mess I've done by this post
>
>

More information about the fedora-selinux-list mailing list