On Wed, Feb 20, 2013 at 12:48 PM, Maurizio Pagani Gmail <span dir="ltr"><<a href="mailto:pag.maurizio@gmail.com" target="_blank">pag.maurizio@gmail.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="IT" link="blue" vlink="purple"><div><p class="MsoNormal">Hi there,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span lang="EN-US">I’ve a question about “exec-shield”, pratically, in some servers SELinux it’s Disabled, but I see that “exec-shield” is enabled:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">******************************************<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">[root@app12trnr TSCM]# sysctl -a|grep -i exec<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">kernel.exec-shield = <b>1</b><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">[root@app12trnr TSCM]# sestatus<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">SELinux status: <b>disabled<u></u><u></u></b></span></p>
<p class="MsoNormal"><span lang="EN-US">******************************************<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p><u></u><span lang="EN-US"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span lang="EN-US">Now, the question is: also if SELinux is Disabled, the exec-shield works normally? And if the answer is “yes”, with wich criteria the exec-shield block an application to write on memory?<u></u><u></u></span></p>
<p><u></u><span lang="EN-US"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span lang="EN-US">Because I think that only SELinux can manage “exec-shield” for decide with wich criteria can block something to write on memory. Because I saw that there is “process object class” with some permissions that specify proper “execheap, execstack, and go on” for manage “allow/deny”.</span></p>
</div></div></blockquote><div><br></div><div>IMHO, not so. <font face="times new roman, serif">SELinux supplements Exec Shield by providing policy control over mmap/mprotect with PROT_EXEC, enabling one to control the ability to make executable</font></div>
<pre><font face="times new roman, serif">mappings that are writable.
<a rel="nofollow" href="http://people.redhat.com/drepper/nonselsec.pdf">http://people.redhat.com/drepper/nonselsec.pdf </a>
</font></pre><div><font face="times new roman, serif"><a rel="nofollow" href="http://people.redhat.com/drepper/selinux-mem.html">http://people.redhat.com/drepper/selinux-mem.html</a> </font></div><div><font face="times new roman, serif"><br>
</font></div><div><font face="times new roman, serif">Here another good explanation <a href="http://www.redhat.com/archives/fedora-selinux-list/2005-December/msg00062.html">http://www.redhat.com/archives/fedora-selinux-list/2005-December/msg00062.html</a></font></div>
<div><font face="times new roman, serif"><br></font></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="IT" link="blue" vlink="purple"><div><p><span lang="EN-US"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">I hope I was clear with the question.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">Thanks in advance,<span class="HOEnZb"><font color="#888888"><u></u><u></u></font></span></span></p>
<span class="HOEnZb"><font color="#888888"><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">Maurizio Pagani<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p></font></span></div></div>
<br>--<br>
selinux mailing list<br>
<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br></blockquote></div><br>