allow_exec{mem,stack} default to on?
Klaus Lichtenwalder
k.lichtenwalder at computer.org
Wed Dec 30 14:52:10 UTC 2009
Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh:
> allow_execmem was on by default in F12 and allow_execstack has been
> turned on by default in newer policies, although this will only happen
> on fresh installs with the new policy. Updates NEVER change boolean
> settings.
I did an install with the netintall CD, so kind of fresh install with
the new policy
>
> I would advise people who know what they are doing to turn off this
> booleans, but turning them on by default inflicts too much pain.
>
> allow_execmod and allow_execheap are off by default.
>
> These booleans only effect unconfined domains. So evey confined
> domain will enforce the execmem and execstack access control
> regardless of their settings.
At the moment I have
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> off
As the boinc_client needs execmem. Guess I'll file a bug with them, as
I'm more comfortable with this off...
Which brings me to the point, I should check whether the *service* boinc
(which I don't use) is running unconfined...
Interestingly I have another application, for homebanking, that's
throwing the famous mmap_zero violation. Which I still don't allow and
the application doesn't care... Probably lot's of bugs in their code and
code pathes that aren't too important :-)
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091230/bce8b546/attachment.sig>
More information about the fedora-selinux-list
mailing list