Adding two new booleans to httpd to tighten it's security.

Nicolas Mailhot nicolas.mailhot at
Sat Dec 10 20:59:23 UTC 2005

On Sam 10 décembre 2005 21:37, Ulrich Drepper wrote:
> Nicolas Mailhot wrote:
>> avc:  denied  { execmem } for  pid=2950 comm="thunderbird-bin"
>> scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
>> tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
> If this really happens then this is a terrible bug in tbird.  It's
> nothing which should be patched with the policy.  By not adding the
> support to catch these problems early the code won't be fixed.
> New rules are often added for a specific purpose: discover bugs in
> programs and stop existing threats.  It would be wrong to not attack
> these as soon as possible.

It really happens, at least there (and thunderbird hasn't been updated,
only selinux was - so it was happening before).

So there are lots of work to do with existing rules before even thinking
of moving to new bits like httpd port policy.

Nicolas Mailhot

More information about the fedora-selinux-list mailing list