6:48 a.m.
Hi,
just checked to freshly installed Fedora 12 machines, and found
allow_execmem --> on
allow_execstack --> on
Is there a reason for this, as the comment in semanage strongly
discourages it? Or did I install a package that switches those booleans?
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
10:41 a.m.
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found
allow_execmem --> on
allow_execstack --> on
Is there a reason for this, as the comment in semanage strongly
discourages it? Or did I install a package that switches those booleans?
I am not
sure about the official reason but i think it is true that atleast execmem by
unconfined_t is allowed by default.
If you so desire you can switch it off.
Personally i can imagine why these permissions are allowed by default for unconfined_t.
unconfined_t is designed to be unconfined, thus in that theory execmem, execmod. execstack
and execheap would be allowed by unrestricted processes.
If you want to protect/restrict user processes, than consider defaulting to restricted
user domains instead of unrestricted user domains. (just a general advise)
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
11:24 a.m.
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found
allow_execmem --> on
allow_execstack --> on
Is there a reason for this, as the comment in semanage strongly
discourages it? Or did I install a package that switches those booleans?
By default SELinux is pretty permissive (much is allowed). However you can very much
tighten the configuration.
A few things to do:
map all your Linux logins to confined SELinux users
disable the unconfined module
lock-down your booleans
...and much more...
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
12:11 p.m.
Hello Klaus,
Personally I'd suggest turning off exec (mem, heap, stack); mapping your
user role to staff_u and then disallowing unconfined logins; turning on
secure_mode and secure_mode_policyload. setsebool -P <name_of_boolean>
<value> should take care of that last from single user mode.
---------- Forwarded message ----------
From: Dominick Grift <domg472(a)gmail.com>
Date: Sun, Dec 27, 2009 at 12:24 PM
Subject: Re: allow_exec{mem,stack} default to on?
To: fedora-selinux-list(a)redhat.com
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found
allow_execmem --> on
allow_execstack --> on
Is there a reason for this, as the comment in semanage strongly
discourages it? Or did I install a package that switches those booleans?
By default SELinux is pretty permissive (much is allowed). However you can
very much tighten the configuration.
A few things to do:
map all your Linux logins to confined SELinux users
disable the unconfined module
lock-down your booleans
...and much more...
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
12:43 p.m.
Hi,
thanks for all your answers. It's correct, if I wanted to go the secure
road, I should map all users to some (more specific) role than is the
default. Considering the situation I think I can stay with the default
rights, as they are probably layed out fine (for default use, i.e. what
I need :-) ) In the meantime, I found some boinc jobs, that need
allow_execmem. Guess I can live with that, and will come back again when
I start my first policies or refinements of some, I do have some on
target, already, so beware ;-)
Klaus
On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
Hello Klaus,
Personally I'd suggest turning off exec (mem, heap, stack); mapping
your user role to staff_u and then disallowing unconfined logins;
turning on secure_mode and secure_mode_policyload. setsebool -P
<name_of_boolean> <value> should take care of that last from single
user mode.
---------- Forwarded message ----------
From: Dominick Grift <domg472(a)gmail.com>
Date: Sun, Dec 27, 2009 at 12:24 PM
Subject: Re: allow_exec{mem,stack} default to on?
To: fedora-selinux-list(a)redhat.com
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
> Hi,
>
> just checked to freshly installed Fedora 12 machines, and found
> allow_execmem --> on
> allow_execstack --> on
> Is there a reason for this, as the comment in semanage strongly
> discourages it? Or did I install a package that switches those
booleans?
By default SELinux is pretty permissive (much is allowed). However you
can very much tighten the configuration.
...
map all your Linux logins to confined SELinux users
disable the unconfined module
lock-down your booleans
...and much more...
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
8:23 a.m.
On 12/27/2009 01:43 PM, Klaus Lichtenwalder wrote:
Hi,
thanks for all your answers. It's correct, if I wanted to go the secure
road, I should map all users to some (more specific) role than is the
default. Considering the situation I think I can stay with the default
rights, as they are probably layed out fine (for default use, i.e. what
I need :-) ) In the meantime, I found some boinc jobs, that need
allow_execmem. Guess I can live with that, and will come back again when
I start my first policies or refinements of some, I do have some on
target, already, so beware ;-)
Klaus
On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
> Hello Klaus,
>
> Personally I'd suggest turning off exec (mem, heap, stack); mapping
> your user role to staff_u and then disallowing unconfined logins;
> turning on secure_mode and secure_mode_policyload. setsebool -P
> <name_of_boolean> <value> should take care of that last from single
> user mode.
>
> ---------- Forwarded message ----------
> From: Dominick Grift <domg472(a)gmail.com>
> Date: Sun, Dec 27, 2009 at 12:24 PM
> Subject: Re: allow_exec{mem,stack} default to on?
> To: fedora-selinux-list(a)redhat.com
>
>
> On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
>
>> Hi,
>>
>> just checked to freshly installed Fedora 12 machines, and found
>> allow_execmem --> on
>> allow_execstack --> on
>> Is there a reason for this, as the comment in semanage strongly
>> discourages it? Or did I install a package that switches those
> booleans?
>
>
> By default SELinux is pretty permissive (much is allowed). However you
> can very much tighten the configuration.
>
..
>
> map all your Linux logins to confined SELinux users
> disable the unconfined module
> lock-down your booleans
> ...and much more...
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have tried many times
to turn off the allow_execmem and allow_execstack booleans. The problem is there is too
much badly written code and too many unknown executables out there that require execmem
and execstack. Including stuff that is downloaded to the homedir.
allow_execmem was on by default in F12 and allow_execstack has been turned on by default
in newer policies, although this will only happen on fresh installs with the new policy.
Updates NEVER change boolean settings.
I would advise people who know what they are doing to turn off this booleans, but turning
them on by default inflicts too much pain.
allow_execmod and allow_execheap are off by default.
These booleans only effect unconfined domains. So evey confined domain will enforce the
execmem and execstack access control regardless of their settings.
8:52 a.m.
Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh:
allow_execmem was on by default in F12 and allow_execstack has been
turned on by default in newer policies, although this will only happen
on fresh installs with the new policy. Updates NEVER change boolean
settings.
I did an install with the netintall CD, so kind of fresh install with
the new policy
I would advise people who know what they are doing to turn off this
booleans, but turning them on by default inflicts too much pain.
allow_execmod and allow_execheap are off by default.
These booleans only effect unconfined domains. So evey confined
domain will enforce the execmem and execstack access control
regardless of their settings.
At the moment I have
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> off
As the boinc_client needs execmem. Guess I'll file a bug with them, as
I'm more comfortable with this off...
Which brings me to the point, I should check whether the *service* boinc
(which I don't use) is running unconfined...
Interestingly I have another application, for homebanking, that's
throwing the famous mmap_zero violation. Which I still don't allow and
the application doesn't care... Probably lot's of bugs in their code and
code pathes that aren't too important :-)
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
8:11 a.m.
On 12/30/2009 09:52 AM, Klaus Lichtenwalder wrote:
Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh:
> allow_execmem was on by default in F12 and allow_execstack has been
> turned on by default in newer policies, although this will only happen
> on fresh installs with the new policy. Updates NEVER change boolean
> settings.
I did an install with the netintall CD, so kind of fresh install with
the new policy
>
> I would advise people who know what they are doing to turn off this
> booleans, but turning them on by default inflicts too much pain.
>
> allow_execmod and allow_execheap are off by default.
>
> These booleans only effect unconfined domains. So evey confined
> domain will enforce the execmem and execstack access control
> regardless of their settings.
At the moment I have
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> off
As the boinc_client needs execmem. Guess I'll file a bug with them, as
I'm more comfortable with this off...
Which brings me to the point, I should check whether the *service* boinc
(which I don't use) is running unconfined...
Interestingly I have another application, for homebanking, that's
throwing the famous mmap_zero violation. Which I still don't allow and
the application doesn't care... Probably lot's of bugs in their code and
code pathes that aren't too important :-)
Is this a wine application? Wine seems to throw this error even though it only
needs it for very old DOS type apps.
Klaus
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
8:30 a.m.
Am Donnerstag, den 31.12.2009, 09:11 -0500 schrieb Daniel J Walsh:
On 12/30/2009 09:52 AM, Klaus Lichtenwalder wrote:
[...]
>
> Interestingly I have another application, for homebanking, that's
> throwing the famous mmap_zero violation. Which I still don't allow and
> the application doesn't care... Probably lot's of bugs in their code and
> code pathes that aren't too important :-)
>
Is this a wine application? Wine seems to throw this error even though it only needs it
for very old DOS type apps.
No, it is indeed a native linux binary, but the Windows heredity shows.
It does have some minor issues with windowing though, but otherwise ok.
And I have lots of data in it ...
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
5223
days inactive
5227
days old
selinux@lists.fedoraproject.org
8 comments
4 participants
participants (4)
-
Daniel J Walsh -
Dominick Grift -
Klaus Lichtenwalder -
Ryan Anthony