Hello Klaus,

Personally I'd suggest turning off exec (mem, heap, stack); mapping your user role to staff_u and then disallowing unconfined logins; turning on secure_mode and secure_mode_policyload.  setsebool -P <name_of_boolean> <value> should take care of that last from single user mode.

---------- Forwarded message ----------
From: Dominick Grift <domg472@gmail.com>
Date: Sun, Dec 27, 2009 at 12:24 PM
Subject: Re: allow_exec{mem,stack} default to on?
To: fedora-selinux-list@redhat.com


On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
> Hi,
>
> just checked to freshly installed Fedora 12 machines, and found
>       allow_execmem --> on
>       allow_execstack --> on
> Is there a reason for this, as the comment in semanage strongly
> discourages it? Or did I install a package that switches those booleans?

By default SELinux is pretty permissive (much is allowed). However you can very much tighten the configuration.

A few things to do:

map all your Linux logins to confined SELinux users
disable the unconfined module
lock-down your booleans
...and much more...
>
> Klaus
>
> --
> ------------------------------------------------------------------------
>  Klaus Lichtenwalder, Dipl. Inform.,  http://lklaus.homelinux.org/Klaus/
>  PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B  9C62 DB6D 1258 0E9B B6D1
>



> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list