On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found
allow_execmem --> on
allow_execstack --> on
Is there a reason for this, as the comment in semanage strongly
discourages it? Or did I install a package that switches those booleans?
I am not
sure about the official reason but i think it is true that atleast execmem by
unconfined_t is allowed by default.
If you so desire you can switch it off.
Personally i can imagine why these permissions are allowed by default for unconfined_t.
unconfined_t is designed to be unconfined, thus in that theory execmem, execmod. execstack
and execheap would be allowed by unrestricted processes.
If you want to protect/restrict user processes, than consider defaulting to restricted
user domains instead of unrestricted user domains. (just a general advise)
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform.,
http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list