[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux removed from desktop cd spin?

Hash: SHA1

David Malcolm wrote:
> On Thu, 2008-01-17 at 19:20 +0100, Till Maas wrote:
>> On Thu January 17 2008, Olivier Galibert wrote:
>>> Now that's a superb example of one of the things that suck with
>>> selinux: put "allow_execmod" in google and try to find a page that
>>> actually explain what it means.
>> Here the 6th result is:
>> http://www.livejournal.com/go.bml?journal=danwalsh&itemid=13376&dir=next
>> And on that page is a link to:
>> http://people.redhat.com/~drepper/selinux-mem.html
>> What are you missing there?
> To be fair, are the policy types and booleans actually documented
> somewhere?  e.g. a set of manpages that could get autogenerated when the
> policy package is built? Does the policy source language support some
> kind of inline commenting that could be used doxygen-style to generate
> docs (and check doc coverage)?   Obviously, this would be aimed more at
> the classic unix sysadmin rather than a desktop user

<tunable name="allow_execmem" dftval="false">
Allow unconfined executables to map a memory region as both executable
and writable, this is dangerous and the executable should be reported in
<tunable name="allow_execmod" dftval="false">

This is in policy and extracted out into


But not currently in a man page.

audit2why and setroubleshoot are starting to use these definitions in
Fedora 9.
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]