SELinux removed from desktop cd spin?
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 21 21:40:48 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Howarth wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Olivier Galibert wrote:
>>> On Fri, Jan 18, 2008 at 08:30:44AM -0500, Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Olivier Galibert wrote:
>>>>> On Thu, Jan 17, 2008 at 01:48:42PM -0500, Daniel J Walsh wrote:
>>>>>> <tunable name="allow_execmem" dftval="false">
>>>>>> <desc>
>>>>>> <p>
>>>>>> Allow unconfined executables to map a memory region as both
>>>>>> executable
>>>>>> and writable, this is dangerous and the executable should be
>>>>>> reported in
>>>>>> bugzilla")
>>>>> That should be "to map a file in a memory region", as UD's page
>>>>> explains. Otherwise anyone who knows a little about dynamic
>>>>> recompilers/JITs is gonna go "huh?".
>>>>>
>>>>> OG.
>>>>>
>>>> Bad cut and paste. The one I pasted was for allow_execmem. Where the
>>>> definition is correct.
>>> You mean Ulrich's page is incorrect then? I indeed had noticed it was
>>> about execmem.
>>>
>>>
>>>> java/mono apps are not confined by this, since
>>>> they run under a different context.
>>> Java/Mono are not the only programs with dynamic code generators in
>>> them.
>>>
>>> OG.
>>>
>> THe attached file is the file context of all files in Rawhide (Probably
>> F8) that are marked as allowing execmem/execstack.
>>
>> If you know of others, we need to update this list.
>
> Shouldn't this list also include things labelled as
> unconfined_notrans_exec_t such as mock and sysreport?
>
> Paul.
>
Yes. And prelink.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkeVEWAACgkQrlYvE4MpobOAawCgm4ZSw+jBJ+e2oaxi9p+GE6FO
PvYAnRwwYfsM0AsFQR5/6TzxnZ1d3rco
=zZcF
-----END PGP SIGNATURE-----
More information about the fedora-devel-list
mailing list