On Wed, Feb 20, 2013 at 12:48 PM, Maurizio Pagani Gmail <
pag.maurizio(a)gmail.com> wrote:
Hi there,****
** **
I’ve a question about “exec-shield”, pratically, in some servers SELinux
it’s Disabled, but I see that “exec-shield” is enabled:****
** **
**********************************************
[root@app12trnr TSCM]# sysctl -a|grep -i exec****
kernel.exec-shield = *1*****
[root@app12trnr TSCM]# sestatus****
SELinux status: *disabled*
**********************************************
** **
**- **Now, the question is: also if SELinux is Disabled, the
exec-shield works normally? And if the answer is “yes”, with wich criteria
the exec-shield block an application to write on memory?****
**- **Because I think that only SELinux can manage “exec-shield”
for decide with wich criteria can block something to write on memory.
Because I saw that there is “process object class” with some permissions
that specify proper “execheap, execstack, and go on” for manage
“allow/deny”.
IMHO, not so. SELinux supplements Exec Shield by providing policy control
over mmap/mprotect with PROT_EXEC, enabling one to control the ability to
make executable
mappings that are writable.
http://people.redhat.com/drepper/nonselsec.pdf
<
http://people.redhat.com/drepper/nonselsec.pdf>
http://people.redhat.com/drepper/selinux-mem.html
Here another good explanation
http://www.redhat.com/archives/fedora-selinux-list/2005-December/msg00062...
****
** **
I hope I was clear with the question.****
Thanks in advance,****
** **
Maurizio Pagani****
** **
** **
** **
** **
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux