Daniel J Walsh
dwalsh at redhat.com
Sat Jun 6 13:48:00 UTC 2009
On 06/06/2009 09:09 AM, "Stanisław T. Findeisen" wrote:
> Look what I've found regarding stack execution:
> execstack :: As the name suggests, this error is raised if a program
> tries to make its stack (or parts thereof) executable with an mprotect
> call. This should never, ever be necessary. Stack memory is not
> executable on most OSes these days and this won't change. Executable
> stack memory is one of the biggest security problems. An execstack error
> might in fact be most likely raised by malicious code.
> $ cat /selinux/booleans/allow_execstack
> 1 1
> $ cat /etc/redhat-release
> Fedora release 10 (Cambridge)
> I haven't changed this setting manually since system install so I guess
> this is a bug in the Fedora policy?
> BTW what does the 1st "1", and what does the 2nd "1" in
> /selinux/booleans/allow_execstack stand for?
> OpenPGP: DFD9 0146 3794 9CF6 17EA D63F DBF5 8AA8 3B31 FE8A
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
Allow execstack was turned on by default in F10.
allow_execstack only affects unconfined domains. All confined domains
are not allowed to execstack, even if the allow_execstack is set. The
boolean should have been named unconfined_execstack.
More information about the fedora-selinux-list