FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-27-2009, 11:48 AM
Klaus Lichtenwalder
 
Default allow_exec{mem,stack} default to on?

Hi,

just checked to freshly installed Fedora 12 machines, and found
allow_execmem --> on
allow_execstack --> on
Is there a reason for this, as the comment in semanage strongly
discourages it? Or did I install a package that switches those booleans?

Klaus

--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-27-2009, 03:41 PM
Dominick Grift
 
Default allow_exec{mem,stack} default to on?

On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
> Hi,
>
> just checked to freshly installed Fedora 12 machines, and found
> allow_execmem --> on
> allow_execstack --> on
> Is there a reason for this, as the comment in semanage strongly
> discourages it? Or did I install a package that switches those booleans?
I am not sure about the official reason but i think it is true that atleast execmem by unconfined_t is allowed by default.
If you so desire you can switch it off.

Personally i can imagine why these permissions are allowed by default for unconfined_t. unconfined_t is designed to be unconfined, thus in that theory execmem, execmod. execstack and execheap would be allowed by unrestricted processes.

If you want to protect/restrict user processes, than consider defaulting to restricted user domains instead of unrestricted user domains. (just a general advise)

>
> Klaus
>
> --
> ------------------------------------------------------------------------
> Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
> PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
>



> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-27-2009, 04:24 PM
Dominick Grift
 
Default allow_exec{mem,stack} default to on?

On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
> Hi,
>
> just checked to freshly installed Fedora 12 machines, and found
> allow_execmem --> on
> allow_execstack --> on
> Is there a reason for this, as the comment in semanage strongly
> discourages it? Or did I install a package that switches those booleans?

By default SELinux is pretty permissive (much is allowed). However you can very much tighten the configuration.

A few things to do:

map all your Linux logins to confined SELinux users
disable the unconfined module
lock-down your booleans
...and much more...
>
> Klaus
>
> --
> ------------------------------------------------------------------------
> Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
> PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
>



> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-27-2009, 05:11 PM
Ryan Gandy
 
Default allow_exec{mem,stack} default to on?

Hello Klaus,

Personally I'd suggest turning off exec (mem, heap, stack); mapping your user role to staff_u and then disallowing unconfined logins; turning on secure_mode and secure_mode_policyload.* setsebool -P <name_of_boolean> <value> should take care of that last from single user mode.


---------- Forwarded message ----------
From: Dominick Grift <domg472@gmail.com>
Date: Sun, Dec 27, 2009 at 12:24 PM

Subject: Re: allow_exec{mem,stack} default to on?
To: fedora-selinux-list@redhat.com


On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:


> Hi,

>

> just checked to freshly installed Fedora 12 machines, and found

> * * * allow_execmem --> on

> * * * allow_execstack --> on

> Is there a reason for this, as the comment in semanage strongly

> discourages it? Or did I install a package that switches those booleans?



By default SELinux is pretty permissive (much is allowed). However you can very much tighten the configuration.



A few things to do:



map all your Linux logins to confined SELinux users

disable the unconfined module

lock-down your booleans

...and much more...

>

> Klaus

>

> --

> ------------------------------------------------------------------------

> *Klaus Lichtenwalder, Dipl. Inform., *http://lklaus.homelinux.org/Klaus/

> *PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B *9C62 DB6D 1258 0E9B B6D1

>







> --

> fedora-selinux-list mailing list

> fedora-selinux-list@redhat.com

> https://www.redhat.com/mailman/listinfo/fedora-selinux-list




--

fedora-selinux-list mailing list

fedora-selinux-list@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-27-2009, 05:43 PM
Klaus Lichtenwalder
 
Default allow_exec{mem,stack} default to on?

Hi,

thanks for all your answers. It's correct, if I wanted to go the secure
road, I should map all users to some (more specific) role than is the
default. Considering the situation I think I can stay with the default
rights, as they are probably layed out fine (for default use, i.e. what
I need :-) ) In the meantime, I found some boinc jobs, that need
allow_execmem. Guess I can live with that, and will come back again when
I start my first policies or refinements of some, I do have some on
target, already, so beware ;-)

Klaus

On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
> Hello Klaus,
>
> Personally I'd suggest turning off exec (mem, heap, stack); mapping
> your user role to staff_u and then disallowing unconfined logins;
> turning on secure_mode and secure_mode_policyload. setsebool -P
> <name_of_boolean> <value> should take care of that last from single
> user mode.
>
> ---------- Forwarded message ----------
> From: Dominick Grift <domg472@gmail.com>
> Date: Sun, Dec 27, 2009 at 12:24 PM
> Subject: Re: allow_exec{mem,stack} default to on?
> To: fedora-selinux-list@redhat.com
>
>
> On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
>
> > Hi,
> >
> > just checked to freshly installed Fedora 12 machines, and found
> > allow_execmem --> on
> > allow_execstack --> on
> > Is there a reason for this, as the comment in semanage strongly
> > discourages it? Or did I install a package that switches those
> booleans?
>
>
> By default SELinux is pretty permissive (much is allowed). However you
> can very much tighten the configuration.
>
...
>
> map all your Linux logins to confined SELinux users
> disable the unconfined module
> lock-down your booleans
> ...and much more...


--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-30-2009, 01:23 PM
Daniel J Walsh
 
Default allow_exec{mem,stack} default to on?

On 12/27/2009 01:43 PM, Klaus Lichtenwalder wrote:
> Hi,
>
> thanks for all your answers. It's correct, if I wanted to go the secure
> road, I should map all users to some (more specific) role than is the
> default. Considering the situation I think I can stay with the default
> rights, as they are probably layed out fine (for default use, i.e. what
> I need :-) ) In the meantime, I found some boinc jobs, that need
> allow_execmem. Guess I can live with that, and will come back again when
> I start my first policies or refinements of some, I do have some on
> target, already, so beware ;-)
>
> Klaus
>
> On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
>> Hello Klaus,
>>
>> Personally I'd suggest turning off exec (mem, heap, stack); mapping
>> your user role to staff_u and then disallowing unconfined logins;
>> turning on secure_mode and secure_mode_policyload. setsebool -P
>> <name_of_boolean> <value> should take care of that last from single
>> user mode.
>>
>> ---------- Forwarded message ----------
>> From: Dominick Grift <domg472@gmail.com>
>> Date: Sun, Dec 27, 2009 at 12:24 PM
>> Subject: Re: allow_exec{mem,stack} default to on?
>> To: fedora-selinux-list@redhat.com
>>
>>
>> On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
>>
>>> Hi,
>>>
>>> just checked to freshly installed Fedora 12 machines, and found
>>> allow_execmem --> on
>>> allow_execstack --> on
>>> Is there a reason for this, as the comment in semanage strongly
>>> discourages it? Or did I install a package that switches those
>> booleans?
>>
>>
>> By default SELinux is pretty permissive (much is allowed). However you
>> can very much tighten the configuration.
>>
> ..
>>
>> map all your Linux logins to confined SELinux users
>> disable the unconfined module
>> lock-down your booleans
>> ...and much more...
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have tried many times to turn off the allow_execmem and allow_execstack booleans. The problem is there is too much badly written code and too many unknown executables out there that require execmem and execstack. Including stuff that is downloaded to the homedir.

allow_execmem was on by default in F12 and allow_execstack has been turned on by default in newer policies, although this will only happen on fresh installs with the new policy. Updates NEVER change boolean settings.

I would advise people who know what they are doing to turn off this booleans, but turning them on by default inflicts too much pain.

allow_execmod and allow_execheap are off by default.

These booleans only effect unconfined domains. So evey confined domain will enforce the execmem and execstack access control regardless of their settings.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-30-2009, 01:52 PM
Klaus Lichtenwalder
 
Default allow_exec{mem,stack} default to on?

Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh:

> allow_execmem was on by default in F12 and allow_execstack has been
> turned on by default in newer policies, although this will only happen
> on fresh installs with the new policy. Updates NEVER change boolean
> settings.

I did an install with the netintall CD, so kind of fresh install with
the new policy
>
> I would advise people who know what they are doing to turn off this
> booleans, but turning them on by default inflicts too much pain.
>
> allow_execmod and allow_execheap are off by default.
>
> These booleans only effect unconfined domains. So evey confined
> domain will enforce the execmem and execstack access control
> regardless of their settings.

At the moment I have
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> off

As the boinc_client needs execmem. Guess I'll file a bug with them, as
I'm more comfortable with this off...

Which brings me to the point, I should check whether the *service* boinc
(which I don't use) is running unconfined...

Interestingly I have another application, for homebanking, that's
throwing the famous mmap_zero violation. Which I still don't allow and
the application doesn't care... Probably lot's of bugs in their code and
code pathes that aren't too important :-)

Klaus

--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-31-2009, 01:11 PM
Daniel J Walsh
 
Default allow_exec{mem,stack} default to on?

On 12/30/2009 09:52 AM, Klaus Lichtenwalder wrote:
> Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh:
>
>> allow_execmem was on by default in F12 and allow_execstack has been
>> turned on by default in newer policies, although this will only happen
>> on fresh installs with the new policy. Updates NEVER change boolean
>> settings.
>
> I did an install with the netintall CD, so kind of fresh install with
> the new policy
>>
>> I would advise people who know what they are doing to turn off this
>> booleans, but turning them on by default inflicts too much pain.
>>
>> allow_execmod and allow_execheap are off by default.
>>
>> These booleans only effect unconfined domains. So evey confined
>> domain will enforce the execmem and execstack access control
>> regardless of their settings.
>
> At the moment I have
> allow_execheap --> off
> allow_execmem --> on
> allow_execmod --> off
> allow_execstack --> off
>
> As the boinc_client needs execmem. Guess I'll file a bug with them, as
> I'm more comfortable with this off...
>
> Which brings me to the point, I should check whether the *service* boinc
> (which I don't use) is running unconfined...
>
> Interestingly I have another application, for homebanking, that's
> throwing the famous mmap_zero violation. Which I still don't allow and
> the application doesn't care... Probably lot's of bugs in their code and
> code pathes that aren't too important :-)
>
Is this a wine application? Wine seems to throw this error even though it only needs it for very old DOS type apps.

> Klaus
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-31-2009, 01:30 PM
Klaus Lichtenwalder
 
Default allow_exec{mem,stack} default to on?

Am Donnerstag, den 31.12.2009, 09:11 -0500 schrieb Daniel J Walsh:
> On 12/30/2009 09:52 AM, Klaus Lichtenwalder wrote:
[...]
> >
> > Interestingly I have another application, for homebanking, that's
> > throwing the famous mmap_zero violation. Which I still don't allow and
> > the application doesn't care... Probably lot's of bugs in their code and
> > code pathes that aren't too important :-)
> >
> Is this a wine application? Wine seems to throw this error even though it only needs it for very old DOS type apps.
>
No, it is indeed a native linux binary, but the Windows heredity shows.
It does have some minor issues with windowing though, but otherwise ok.
And I have lots of data in it ...

Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org