Interesting reading on exec* access checks.

Daniel J Walsh dwalsh at
Thu Dec 8 21:29:17 UTC 2005

We are planning on turning off allow_execmem, allow_execmod, 
allow_execheap for unconfined_t in targeted policy.  We are working to 
clean up any problems this might cause.  This will add additional 
security features to Userspace, but might cause headaches.

If you have the latest policy installed on Rawhide

selinux-policy-targeted-2.1.0-3 or later you can try it out by running

setsebool -P allow_execmem=0 allow_execmod=0 allow_execheap=0

You might need to relabel /usr/lib and /lib.

Any help would be appreciated.  :^)


More information about the fedora-selinux-list mailing list