[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Memory protection and system-config-securitylevel

Kamil J. Dudek wrote:
Dnia 04-05-2007, pią o godzinie 11:30 -0400, Daniel J Walsh napisał(a):
Kamil wrote:
Hello everybody
Forgive me, if this subject has already been mentioned here, but I
simply couldn't find answer anywhere.

Few days ago I started system-config-securitylevel. I found something
interesting in "Modify SELinux policies". A memory protection - there
are four options in there. Two of them are enabled, with a description
that if having this enabled is required by some program, it should be
reported to bugzilla. I didn't do it, because of very strange effects
after turning it off.

Disabling "Allow all executable files to map memory areas as executable and
readable, which is dangerous and such program should be reported to
"Allow all executable files to mark stack as executable.That shouldn't
ever be required"
option(translation from polish) made system act very strange. First
thing I've observed was that Kobo game stopped working. GMPC stopped
playing. Also stuff outside of Fedora like Java and NVidia drivers
failed. So I should have "reported to bugzilla" to many application to
make it have any sense. Such bug report would be only annoying but
according to system-config-securitylevel...

Java Applications can be labeled java_exec_t (chcon -t java_exec_t PATHTOAPP) Please tell me the path of these apps, so I can set them to default. Which will allow them to have this priv. NVidia should be told to fix their drivers. (Or open source them, their choice :^))

These memory checks are described here
SELinux Memory Protection Tests <http://people.redhat.com/%7Edrepper/selinux-mem.html>

The goal is to move towards, eliminating Writable/Executable memory to help protect systems. For now if you can run with these checked off, you are more secure. We realize that lots of apps are either broken or not labeled correctly. So we need to get the app vendors to fix their apps and to fix the labeling when it is wrong in SELinux.

I have enabled only "Allow all executable files to mark stack as
executable.That shouldn't ever be required". And everything except
external NVidia drivers seems to work fine. The nv driver doesn't make
any surprises. But when I disable even that, programs like Kobo Deluxe
and glxgears return "Permission denied" error. Should I report this
programs to Bugzilla or ignore that hint?
Please attach the avc messages from /var/log/audit/audit.log
What is it with these two options? To make everything work properly they
should be enabled, but their description that they should be disabled is

Thank you and forgive me any mess I've done by this post

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]