execmod avcs from today's policy
Stephen Smalley
sds at epoch.ncsc.mil
Fri Jan 28 18:35:25 UTC 2005
On Fri, 2005-01-28 at 13:12, Stephen Smalley wrote:
> I think that the allow_execmod boolean only allows execmod permission to
> files labeled with the new texrel_shlib_t type. Or at least that is
> what it should do. Any existing occurrences of execmod permission in
> the policy should be changed to use texrel_shlib_t now that it is
> defined, and then any DSOs that require it should be relabeled to that
> type.
We should also wrap occurrences of execmem with a boolean, but a
separate one than the execmod rules. Might also want multiple booleans,
e.g. to allow certain programs without allowing all others.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the selinux
mailing list