Ivan Gyurdiev wrote:
Strict policy likely shouldn't allow execmod to anything but texrel_shlib_t, and can thus omit the boolean altogether.Please don't break strict policy :(I still have some hope left to be able to run it on my home machine. The level of "strictness"should be configurable.We could kill the allow_execmod/allow_execmem booleans, allow execmod to texrel, allow exemem for X,
Ok.Should be a boolean allow_X_execmem. Most people don't need execmem for X. (Only nvidia binary drivers)
and then have per app booleans for other things we don't trust(like Java applets?).
-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.