allow_exec{mem,stack} default to on?

Sun Dec 27 18:43:15 UTC 2009

Hi,

thanks for all your answers. It's correct, if I wanted to go the secure
road, I should map all users to some (more specific) role than is the
default. Considering the situation I think I can stay with the default
rights, as they are probably layed out fine (for default use, i.e. what
I need :-) ) In the meantime, I found some boinc jobs, that need
allow_execmem. Guess I can live with that, and will come back again when
I start my first policies or refinements of some, I do have some on
target, already, so beware ;-)

Klaus

On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
> Hello Klaus,
> 
> Personally I'd suggest turning off exec (mem, heap, stack); mapping
> your user role to staff_u and then disallowing unconfined logins;
> turning on secure_mode and secure_mode_policyload.  setsebool -P
> <name_of_boolean> <value> should take care of that last from single
> user mode.
> 
> ---------- Forwarded message ----------
> From: Dominick Grift <domg472 at gmail.com>
> Date: Sun, Dec 27, 2009 at 12:24 PM
> Subject: Re: allow_exec{mem,stack} default to on?
> To: fedora-selinux-list at redhat.com
> 
> 
> On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
> 
> > Hi,
> >
> > just checked to freshly installed Fedora 12 machines, and found
> >       allow_execmem --> on
> >       allow_execstack --> on
> > Is there a reason for this, as the comment in semanage strongly
> > discourages it? Or did I install a package that switches those
> booleans?
> 
> 
> By default SELinux is pretty permissive (much is allowed). However you
> can very much tighten the configuration.
> 
...
> 
> map all your Linux logins to confined SELinux users
> disable the unconfined module
> lock-down your booleans
> ...and much more...

-- 
------------------------------------------------------------------------ 
 Klaus Lichtenwalder, Dipl. Inform.,  http://lklaus.homelinux.org/Klaus/
 PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B  9C62 DB6D 1258 0E9B B6D1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091227/4af93229/attachment.sig>