On Sat, 2011-06-18 at 22:47 +0200, Göran Uddeborg wrote:
But both of these systems are x86_64 systems.
Strange, as i never noticed this issues on any of my x86_64 systems
More exactly, why doesn't x86_64 need execmem? Firefox does
apparently allocate memory that is both executable and writeable on
x86_64 systems too.
Do not know, i was under the impressions that it did not need it.
> you can also set boolean allow_execmem to true i believe
Yes, that makes firefox runnable again. But if possible I would
prefer to have it turned off. And it does work with it turned off on
the fresh install, so I guess there is some way to do it.
It is possible to silently deny this access but there are issue to take
into account probably. Basically much of firefox gets run in the calling
user domain "on behalf of the user". Many other applications get run in
the calling user domain as well.
So if you would use "semodule -D .." to add a "dontaudit" rule to the
policy database ( a rule that says deny this but do not audit the denial
) then you would potentially silently block other programs from
executing writable memory as well.
So you might get into a situation where some app refuses to run and you
would not find any traces of it in audit.log wrt to selinux blocking it
access to execmem.