allow_exec{mem,stack} default to on?
Klaus Lichtenwalder
k.lichtenwalder at computer.org
Sun Dec 27 18:43:15 UTC 2009
Hi,
thanks for all your answers. It's correct, if I wanted to go the secure
road, I should map all users to some (more specific) role than is the
default. Considering the situation I think I can stay with the default
rights, as they are probably layed out fine (for default use, i.e. what
I need :-) ) In the meantime, I found some boinc jobs, that need
allow_execmem. Guess I can live with that, and will come back again when
I start my first policies or refinements of some, I do have some on
target, already, so beware ;-)
Klaus
On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
> Hello Klaus,
>
> Personally I'd suggest turning off exec (mem, heap, stack); mapping
> your user role to staff_u and then disallowing unconfined logins;
> turning on secure_mode and secure_mode_policyload. setsebool -P
> <name_of_boolean> <value> should take care of that last from single
> user mode.
>
> ---------- Forwarded message ----------
> From: Dominick Grift <domg472 at gmail.com>
> Date: Sun, Dec 27, 2009 at 12:24 PM
> Subject: Re: allow_exec{mem,stack} default to on?
> To: fedora-selinux-list at redhat.com
>
>
> On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
>
> > Hi,
> >
> > just checked to freshly installed Fedora 12 machines, and found
> > allow_execmem --> on
> > allow_execstack --> on
> > Is there a reason for this, as the comment in semanage strongly
> > discourages it? Or did I install a package that switches those
> booleans?
>
>
> By default SELinux is pretty permissive (much is allowed). However you
> can very much tighten the configuration.
>
...
>
> map all your Linux logins to confined SELinux users
> disable the unconfined module
> lock-down your booleans
> ...and much more...
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091227/4af93229/attachment.sig>
More information about the fedora-selinux-list
mailing list