SELinux removed from desktop cd spin?

Olivier Galibert galibert at pobox.com
Fri Jan 18 18:31:28 UTC 2008


On Fri, Jan 18, 2008 at 01:01:05PM -0500, Daniel J Walsh wrote:
> Olivier Galibert wrote:
> > On Fri, Jan 18, 2008 at 08:30:44AM -0500, Daniel J Walsh wrote:
> >> Bad cut and paste.  The one I pasted was for allow_execmem.  Where the
> >> definition is correct.
> > 
> > You mean Ulrich's page is incorrect then?  I indeed had noticed it was
> > about execmem.

You forgot to reply to that part ^^^.

Ulrich clearly says:
- mmap PROT_EXEC without PROT_WRITE of anonymous memory
- mmap PROT_EXEC|PROT_WRITE of files


> >> java/mono apps are not confined by this, since
> >> they run under a different context.
> > 
> > Java/Mono are not the only programs with dynamic code generators in
> > them.
> > 
> >   OG.
> > 
> THe attached file is the file context of all files in Rawhide (Probably
> F8) that are marked as allowing execmem/execstack.
> 
> If you know of others, we need to update this list.

The list will never cover the results of my own calls to make.
Dynamic code generation is not such an unusual capability to add to a
program and it's a very useful tool.  While I can understand
requesting not to do it on the stack, preventing it altogether, and in
particular in areas mmapped explicitely for that purpose, seems rather
excessive.

  OG.




More information about the fedora-devel-list mailing list