allow_exec{mem,stack} default to on?

Wed Dec 30 14:23:56 UTC 2009

On 12/27/2009 01:43 PM, Klaus Lichtenwalder wrote:
> Hi,
> 
> thanks for all your answers. It's correct, if I wanted to go the secure
> road, I should map all users to some (more specific) role than is the
> default. Considering the situation I think I can stay with the default
> rights, as they are probably layed out fine (for default use, i.e. what
> I need :-) ) In the meantime, I found some boinc jobs, that need
> allow_execmem. Guess I can live with that, and will come back again when
> I start my first policies or refinements of some, I do have some on
> target, already, so beware ;-)
> 
> Klaus
> 
> On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
>> Hello Klaus,
>>
>> Personally I'd suggest turning off exec (mem, heap, stack); mapping
>> your user role to staff_u and then disallowing unconfined logins;
>> turning on secure_mode and secure_mode_policyload.  setsebool -P
>> <name_of_boolean> <value> should take care of that last from single
>> user mode.
>>
>> ---------- Forwarded message ----------
>> From: Dominick Grift <domg472 at gmail.com>
>> Date: Sun, Dec 27, 2009 at 12:24 PM
>> Subject: Re: allow_exec{mem,stack} default to on?
>> To: fedora-selinux-list at redhat.com
>>
>>
>> On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
>>
>>> Hi,
>>>
>>> just checked to freshly installed Fedora 12 machines, and found
>>>       allow_execmem --> on
>>>       allow_execstack --> on
>>> Is there a reason for this, as the comment in semanage strongly
>>> discourages it? Or did I install a package that switches those
>> booleans?
>>
>>
>> By default SELinux is pretty permissive (much is allowed). However you
>> can very much tighten the configuration.
>>
> ..
>>
>> map all your Linux logins to confined SELinux users
>> disable the unconfined module
>> lock-down your booleans
>> ...and much more...
> 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have tried many times to turn off the allow_execmem and allow_execstack booleans.  The problem is there is too much badly written code and too many unknown executables out there that require execmem and execstack.  Including stuff that is downloaded to the homedir.

allow_execmem was on by default in F12 and allow_execstack has been turned on by default in newer policies, although this will only happen on fresh installs with the new policy.  Updates NEVER change boolean settings.

I would advise people who know what they are doing to turn off this booleans, but turning them on by default inflicts too much pain.

allow_execmod and allow_execheap are off by default.

These booleans only effect unconfined domains.  So evey confined domain will enforce the execmem and execstack access control regardless of their settings.