[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Execmem boolean

To: ivg2@xxxxxxxxxxx
Subject: Re: Execmem boolean
From: Stephen Smalley <sds@xxxxxxxxxxxxx>
Date: Wed, 29 Jun 2005 15:00:54 -0400
Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>, selinux@xxxxxxxxxxxxx
In-reply-to: <1120071263.20484.45.camel@xxxxxxxxxxxxxxxxxxxxxxxxx>
Organization: National Security Agency
References: <1119822163.4357.9.camel@xxxxxxxxxxxxxxxxxxxxx> <1119883756.32316.74.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <42C2DB70.2070204@xxxxxxxxxx> <1120070997.3553.172.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1120071263.20484.45.camel@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx

On Wed, 2005-06-29 at 14:54 -0400, Ivan Gyurdiev wrote:
> Please don't break strict policy :(
> 
> I still have some hope left to be able to 
> run it on my home machine. The level of "strictness"
> should be configurable.
> 
> We could kill the allow_execmod/allow_execmem booleans,
> allow execmod to texrel, allow exemem for X,
> and then have per app booleans for other things we don't trust
> (like Java applets?). 

You'd also need something to enable/disable execmem for the user
domains, as not everything that wants it runs in its own domain yet.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

References:
- Execmem boolean
  - From: Ivan Gyurdiev
- Re: Execmem boolean
  - From: Stephen Smalley
- Re: Execmem boolean
  - From: Daniel J Walsh
- Re: Execmem boolean
  - From: Stephen Smalley
- Re: Execmem boolean
  - From: Ivan Gyurdiev

Prev by Date: Re: RFC: jail functionality
Next by Date: RE: file contexts and modularity
Previous by thread: Re: Execmem boolean
Next by thread: Re: Execmem boolean
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.