execmem

Ivan Gyurdiev ivg2 at cornell.edu
Thu Jan 12 13:08:43 UTC 2006


Stephen Smalley wrote:
> On Wed, 2006-01-11 at 13:56 -0600, Jason Dravet wrote:
>   
>> When execstack was turned off on December 9 and execmem and execmod were 
>> turned off on December 10 several programs broke and I opened bugzilla 
>> issues for them.  Now one of the programmers has contacted me about this, 
>> but now the program works.  I am pretty sure the program was not fixed (I 
>> have not updated it) as suggested by 
>> http://people.redhat.com/drepper/selinux-mem.html.  I think the selinux 
>> policy changed and allows the exec* access again.  How can I turn off this 
>> access so the program can be fixed properly?
>>
>> I tried the following command: setsebool -P allow_execmem=0 allow_execmod=0 
>> allow_execheap=0
>> and this is what I got:
>> libsemanage.dbase_llist_set: record not found in the database
>> libsemanage.dbase_llist_set: could not set record value
>> Could not change policy booleans
>>
>> I am running selinux-policy-targeted-2.1.8-3 and selinux-policy-2.1.8-3 in 
>> enforcing mode on Fedora rawhide.
>>     
>
> Hmm...that error message needs to be more informative - only one of
> those booleans is undefined (allow_execheap - there is no boolean for
> it).
>   
I agree - unfortunately this code is polymorphed, so it is not 
completely trivial to print information specific to the record type. 
I'll try to improve some of this.. I guess I should add some print 
functions to the record method table.




More information about the fedora-selinux-list mailing list