execmod avcs from today's policy
Stephen Smalley
sds at epoch.ncsc.mil
Wed Feb 2 13:12:40 UTC 2005
On Fri, 2005-01-28 at 13:35, Stephen Smalley wrote:
> We should also wrap occurrences of execmem with a boolean, but a
> separate one than the execmod rules. Might also want multiple booleans,
> e.g. to allow certain programs without allowing all others.
Note: An allow_execmem boolean has been introduced into the latest
upstream policy, so I expect it will show up in future Fedora policies.
Hence, you may need to enable this boolean, e.g. to allow X to continue
to run. In the future, I think we will want multiple such booleans so
that we can allow certain domains (like X) to have this permission while
prohibiting others (like user domains).
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list