Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps

From: Ulrich Drepper
Date: Wed Oct 04 2006 - 13:31:10 EST

Next message: Andrew Morton: "Re: [PATCH] Fix WARN_ON / WARN_ON_ONCE regression"
Previous message: Andrew Morton: "Re: [PATCH] Fix WARN_ON / WARN_ON_ONCE regression"
In reply to: Kyle Moffett: "Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps"
Next in thread: Arjan van de Ven: "Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/3/06, David Wagner <daw@xxxxxxxxxxxxxxx> wrote:

I wonder whether it is feasible to run with allow_exec{heap,mem,mod,stack}
all set to false, on a real system. Is there any example of a fully
worked out SELinux policy that has these set to false? FC5 has
allow_execheap set to false and all others set to true in its default
SELinux policy,

This is the default setting to minimize breakage. And it has been set
like this (in the FC6 devel cycle) only in the last minute. For most
of the devel cycle all were off. For the distribution as a hole there
is simply too much of a chance for something to break and make the
system appear unusable. This is mostly code in 3rd party apps.
Reason enough, unfortunately, for us to default on the safe side.

But I run my machines with everything turned off. We cleaned up the
code we ship so that this is possible.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: [PATCH] Fix WARN_ON / WARN_ON_ONCE regression"
Previous message: Andrew Morton: "Re: [PATCH] Fix WARN_ON / WARN_ON_ONCE regression"
In reply to: Kyle Moffett: "Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps"
Next in thread: Arjan van de Ven: "Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]