Re: Execmem boolean

[Stephen Smalley <sds@xxxxxxxxxxxxx>]

On Wed, 2005-06-29 at 13:33 -0400, Daniel J Walsh wrote:
> Problem is with third party apps,  They don't get labeled texrel_shlib_t 
> and therefore do not work.
> 
> allow execmod allows them to work with the shlib_t label.  We can change 
> this to a targeted vs strict.

IMHO, we can allow execmod to texrel_shlib_t without requiring a boolean
around it at all.  Only case where I would care to shut off execmod is
for anything not explicitly labeled texrel_shlib_t, as that label
already indicates an explicit decision to allow text relocation on that
file.  Hence, we can keep wider execmod access (e.g. to shlib_t,
home_type, file_type, whatever) restricted via allow_execmod, and just
always include execmod to texrel_shlib_t.  Strict policy likely
shouldn't allow execmod to anything but texrel_shlib_t, and can thus
omit the boolean altogether.

> Did these get added as default allow?  If policy is 19 or less?  Deny if 
> policy > 19?
> 
> I don't think we should add any more access checks without bumping the 
> policy version and putting
> that logic in.

Well, they are already in 2.6.13-rc1, and no, they are not tied to a
particular policy version.  I think FC4 targeted policy already allows
them for unconfined domains.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.