Memory protection and system-config-securitylevel

Daniel J Walsh dwalsh at redhat.com
Mon Sep 28 16:20:42 UTC 2009 

Kamil J. Dudek wrote:
> Dnia 04-05-2007, pią o godzinie 11:30 -0400, Daniel J Walsh napisał(a):
>   
>> Kamil wrote:
>>     
>>> Hello everybody
>>> Forgive me, if this subject has already been mentioned here, but I
>>> simply couldn't find answer anywhere.
>>>
>>> Few days ago I started system-config-securitylevel. I found something
>>> interesting in "Modify SELinux policies". A memory protection - there
>>> are four options in there. Two of them are enabled, with a description
>>> that if having this enabled is required by some program, it should be
>>> reported to bugzilla. I didn't do it, because of very strange effects
>>> after turning it off.
>>>
>>> Disabling 
>>> "Allow all executable files to map memory areas as executable and
>>> readable, which is dangerous and such program should be reported to
>>> bugzilla"
>>> and
>>> "Allow all executable files to mark stack as executable.That shouldn't
>>> ever be required"
>>> option(translation from polish) made system act very strange. First
>>> thing I've observed was that Kobo game stopped working. GMPC stopped
>>> playing. Also stuff outside of Fedora like Java and NVidia drivers
>>> failed. So I should have "reported to bugzilla" to many application to
>>> make it have any sense. Such bug report would be only annoying but
>>> according to system-config-securitylevel...
>>>
>>>   
>>>       
>> Java Applications can be labeled java_exec_t (chcon -t java_exec_t 
>> PATHTOAPP) Please tell me the path of these apps, so I can set them to 
>> default.  Which will allow them to have this priv.  NVidia should be 
>> told to fix their drivers. (Or open source them,  their choice :^))
>>
>> These memory checks are described here
>> SELinux Memory Protection Tests 
>> <http://people.redhat.com/%7Edrepper/selinux-mem.html>
>>
>> The goal is to move towards, eliminating Writable/Executable memory to 
>> help protect systems.
>> For now if you can run with these checked off, you are more secure.   We 
>> realize that lots of apps are either broken or not labeled correctly.  
>> So we need to get the app vendors to fix their apps and to fix the 
>> labeling when it is wrong in SELinux.
>>     
>
> I have enabled only "Allow all executable files to mark stack as
> executable.That shouldn't ever be required". And everything except
> external NVidia drivers seems to work fine. The nv driver doesn't make
> any surprises. But when I disable even that, programs like Kobo Deluxe
> and glxgears return "Permission denied" error. Should I report this
> programs to Bugzilla or ignore that hint?
>   
Please attach the avc messages from /var/log/audit/audit.log
>>     
>>> What is it with these two options? To make everything work properly they
>>> should be enabled, but their description that they should be disabled is
>>> confusing.
>>>
>>> Thank you and forgive me any mess I've done by this post
>>>
>>>   
>>>

More information about the fedora-selinux-list mailing list