Interesting reading on exec* access checks.
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 8 21:29:17 UTC 2005
We are planning on turning off allow_execmem, allow_execmod,
allow_execheap for unconfined_t in targeted policy. We are working to
clean up any problems this might cause. This will add additional
security features to Userspace, but might cause headaches.
If you have the latest policy installed on Rawhide
selinux-policy-targeted-2.1.0-3 or later you can try it out by running
setsebool -P allow_execmem=0 allow_execmod=0 allow_execheap=0
You might need to relabel /usr/lib and /lib.
Any help would be appreciated. :^)
More information about the fedora-selinux-list