execmem and targeted policy

Stephen Smalley sds at epoch.ncsc.mil
Thu Feb 10 18:20:28 UTC 2005

On Thu, 2005-02-10 at 13:17, Colin Walters wrote:
> I noticed that as of a recent rawhide update that Eclipse stopped
> working:
> audit(1108057938.336:0): avc:  denied  { execmem } for  pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process
> Chatting with Dan, this is apparently because the execmem permission was
> dropped from unconfined_domain recently.  
> We can't do this in targeted policy because it would require us to know
> about (and specially label) all such programs.

It is controlled by a boolean.  So simply enable the allow_execmem and
allow_execmod booleans by default in the targeted policy (via the
booleans config file).  Or if you absolutely must unconditionally allow
it in targeted policy, put the allow rules in the targeted unconfined.te
file so that you don't affect the strict policy.  But note that the
reason for subjecting these permissions to booleans even in the targeted
policy was that we were asked to do so by Ulrich (see the earlier
discussion on rhselinux-list).

Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency

More information about the fedora-selinux-list mailing list