On Tue, 2009-03-17 at 17:49 +0100, Sebastian Pfaff wrote:
Does SELinux prevent exectution on the stack? If yes, how can i see
this. It would also be helpful, when i had an example which shows me a
denial of execstack (searching the log gave no results here). Or is
something wrong with my example?
I suppose, i have an wrong understanding adout how SELinux execstack
works. Please help to clarify this.
The SELinux execstack check only comes into play if the process calls
mprotect(...PROT_EXEC...) on the stack. It is just a policy control
over the ability of the process to mark its stack executable. If the
program was marked as requiring an executable stack, then that won't
ever happen - the kernel will set it up accordingly from the beginning.
http://people.redhat.com/drepper/selinux-mem.html
--
Stephen Smalley
National Security Agency