Hello Klaus,
Personally I'd suggest turning off exec (mem, heap, stack); mapping your
user role to staff_u and then disallowing unconfined logins; turning on
secure_mode and secure_mode_policyload. setsebool -P <name_of_boolean>
<value> should take care of that last from single user mode.
---------- Forwarded message ----------
From: Dominick Grift <domg472(a)gmail.com>
Date: Sun, Dec 27, 2009 at 12:24 PM
Subject: Re: allow_exec{mem,stack} default to on?
To: fedora-selinux-list(a)redhat.com
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found
allow_execmem --> on
allow_execstack --> on
Is there a reason for this, as the comment in semanage strongly
discourages it? Or did I install a package that switches those booleans?
By default SELinux is pretty permissive (much is allowed). However you can
very much tighten the configuration.
A few things to do:
map all your Linux logins to confined SELinux users
disable the unconfined module
lock-down your booleans
...and much more...
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform.,
http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list