execmod avcs from today's policy

Stephen Smalley sds at epoch.ncsc.mil
Wed Feb 2 13:12:40 UTC 2005

On Fri, 2005-01-28 at 13:35, Stephen Smalley wrote:
> We should also wrap occurrences of execmem with a boolean, but a
> separate one than the execmod rules.  Might also want multiple booleans,
> e.g. to allow certain programs without allowing all others.

Note:  An allow_execmem boolean has been introduced into the latest
upstream policy, so I expect it will show up in future Fedora policies. 
Hence, you may need to enable this boolean, e.g. to allow X to continue
to run.  In the future, I think we will want multiple such booleans so
that we can allow certain domains (like X) to have this permission while
prohibiting others (like user domains).

Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency

More information about the fedora-selinux-list mailing list