allow_exec{mem,stack} default to on?
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 31 14:11:55 UTC 2009
On 12/30/2009 09:52 AM, Klaus Lichtenwalder wrote:
> Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh:
>
>> allow_execmem was on by default in F12 and allow_execstack has been
>> turned on by default in newer policies, although this will only happen
>> on fresh installs with the new policy. Updates NEVER change boolean
>> settings.
>
> I did an install with the netintall CD, so kind of fresh install with
> the new policy
>>
>> I would advise people who know what they are doing to turn off this
>> booleans, but turning them on by default inflicts too much pain.
>>
>> allow_execmod and allow_execheap are off by default.
>>
>> These booleans only effect unconfined domains. So evey confined
>> domain will enforce the execmem and execstack access control
>> regardless of their settings.
>
> At the moment I have
> allow_execheap --> off
> allow_execmem --> on
> allow_execmod --> off
> allow_execstack --> off
>
> As the boinc_client needs execmem. Guess I'll file a bug with them, as
> I'm more comfortable with this off...
>
> Which brings me to the point, I should check whether the *service* boinc
> (which I don't use) is running unconfined...
>
> Interestingly I have another application, for homebanking, that's
> throwing the famous mmap_zero violation. Which I still don't allow and
> the application doesn't care... Probably lot's of bugs in their code and
> code pathes that aren't too important :-)
>
Is this a wine application? Wine seems to throw this error even though it only needs it for very old DOS type apps.
> Klaus
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list