FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-08-2007, 01:20 PM
Daniel J Walsh
 
Default Memory protection and system-config-securitylevel

Kamil J. Dudek wrote:
> Dnia 04-05-2007, pią o godzinie 11:30 -0400, Daniel J Walsh napisał(a):
>
>> Kamil wrote:
>>
>>> Hello everybody
>>> Forgive me, if this subject has already been mentioned here, but I
>>> simply couldn't find answer anywhere.
>>>
>>> Few days ago I started system-config-securitylevel. I found something
>>> interesting in "Modify SELinux policies". A memory protection - there
>>> are four options in there. Two of them are enabled, with a description
>>> that if having this enabled is required by some program, it should be
>>> reported to bugzilla. I didn't do it, because of very strange effects
>>> after turning it off.
>>>
>>> Disabling
>>> "Allow all executable files to map memory areas as executable and
>>> readable, which is dangerous and such program should be reported to
>>> bugzilla"
>>> and
>>> "Allow all executable files to mark stack as executable.That shouldn't
>>> ever be required"
>>> option(translation from polish) made system act very strange. First
>>> thing I've observed was that Kobo game stopped working. GMPC stopped
>>> playing. Also stuff outside of Fedora like Java and NVidia drivers
>>> failed. So I should have "reported to bugzilla" to many application to
>>> make it have any sense. Such bug report would be only annoying but
>>> according to system-config-securitylevel...
>>>
>>>
>>>
>> Java Applications can be labeled java_exec_t (chcon -t java_exec_t
>> PATHTOAPP) Please tell me the path of these apps, so I can set them to
>> default. Which will allow them to have this priv. NVidia should be
>> told to fix their drivers. (Or open source them, their choice :^))
>>
>> These memory checks are described here
>> SELinux Memory Protection Tests
>> <http://people.redhat.com/%7Edrepper/selinux-mem.html>
>>
>> The goal is to move towards, eliminating Writable/Executable memory to
>> help protect systems.
>> For now if you can run with these checked off, you are more secure. We
>> realize that lots of apps are either broken or not labeled correctly.
>> So we need to get the app vendors to fix their apps and to fix the
>> labeling when it is wrong in SELinux.
>>
>
> I have enabled only "Allow all executable files to mark stack as
> executable.That shouldn't ever be required". And everything except
> external NVidia drivers seems to work fine. The nv driver doesn't make
> any surprises. But when I disable even that, programs like Kobo Deluxe
> and glxgears return "Permission denied" error. Should I report this
> programs to Bugzilla or ignore that hint?
>
Please attach the avc messages from /var/log/audit/audit.log
>>
>>> What is it with these two options? To make everything work properly they
>>> should be enabled, but their description that they should be disabled is
>>> confusing.
>>>
>>> Thank you and forgive me any mess I've done by this post
>>>
>>>
>>>



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org