Hi,
thanks for all your answers. It's correct, if I wanted to go the secure
road, I should map all users to some (more specific) role than is the
default. Considering the situation I think I can stay with the default
rights, as they are probably layed out fine (for default use, i.e. what
I need :-) ) In the meantime, I found some boinc jobs, that need
allow_execmem. Guess I can live with that, and will come back again when
I start my first policies or refinements of some, I do have some on
target, already, so beware ;-)
Klaus
On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
Hello Klaus,
Personally I'd suggest turning off exec (mem, heap, stack); mapping
your user role to staff_u and then disallowing unconfined logins;
turning on secure_mode and secure_mode_policyload. setsebool -P
<name_of_boolean> <value> should take care of that last from single
user mode.
---------- Forwarded message ----------
From: Dominick Grift <domg472(a)gmail.com>
Date: Sun, Dec 27, 2009 at 12:24 PM
Subject: Re: allow_exec{mem,stack} default to on?
To: fedora-selinux-list(a)redhat.com
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
> Hi,
>
> just checked to freshly installed Fedora 12 machines, and found
> allow_execmem --> on
> allow_execstack --> on
> Is there a reason for this, as the comment in semanage strongly
> discourages it? Or did I install a package that switches those
booleans?
By default SELinux is pretty permissive (much is allowed). However you
can very much tighten the configuration.
...
map all your Linux logins to confined SELinux users
disable the unconfined module
lock-down your booleans
...and much more...
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform.,
http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1