SELinux removed from desktop cd spin?
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 17 18:48:42 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Malcolm wrote:
> On Thu, 2008-01-17 at 19:20 +0100, Till Maas wrote:
>> On Thu January 17 2008, Olivier Galibert wrote:
>>
>>> Now that's a superb example of one of the things that suck with
>>> selinux: put "allow_execmod" in google and try to find a page that
>>> actually explain what it means.
>> Here the 6th result is:
>> http://www.livejournal.com/go.bml?journal=danwalsh&itemid=13376&dir=next
>> And on that page is a link to:
>> http://people.redhat.com/~drepper/selinux-mem.html
>>
>> What are you missing there?
>
> To be fair, are the policy types and booleans actually documented
> somewhere? e.g. a set of manpages that could get autogenerated when the
> policy package is built? Does the policy source language support some
> kind of inline commenting that could be used doxygen-style to generate
> docs (and check doc coverage)? Obviously, this would be aimed more at
> the classic unix sysadmin rather than a desktop user
>
>
>
<tunable name="allow_execmem" dftval="false">
<desc>
<p>
Allow unconfined executables to map a memory region as both executable
and writable, this is dangerous and the executable should be reported in
bugzilla")
</p>
</desc>
</tunable>
<tunable name="allow_execmod" dftval="false">
<desc>
This is in policy and extracted out into
/usr/share/selinux/devel/policy.xml
But not currently in a man page.
audit2why and setroubleshoot are starting to use these definitions in
Fedora 9.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkePowoACgkQrlYvE4MpobMQ7gCgzo2UB2AGXEVFVvNjXIXIkhgJ
sBAAoNcSNidCpD9R0IywUGX2BVAqb8Vh
=ZLcT
-----END PGP SIGNATURE-----
More information about the devel
mailing list