execmem
Stephen Smalley
sds at tycho.nsa.gov
Thu Jan 12 13:07:57 UTC 2006
On Wed, 2006-01-11 at 13:56 -0600, Jason Dravet wrote:
> When execstack was turned off on December 9 and execmem and execmod were
> turned off on December 10 several programs broke and I opened bugzilla
> issues for them. Now one of the programmers has contacted me about this,
> but now the program works. I am pretty sure the program was not fixed (I
> have not updated it) as suggested by
> http://people.redhat.com/drepper/selinux-mem.html. I think the selinux
> policy changed and allows the exec* access again. How can I turn off this
> access so the program can be fixed properly?
>
> I tried the following command: setsebool -P allow_execmem=0 allow_execmod=0
> allow_execheap=0
> and this is what I got:
> libsemanage.dbase_llist_set: record not found in the database
> libsemanage.dbase_llist_set: could not set record value
> Could not change policy booleans
>
> I am running selinux-policy-targeted-2.1.8-3 and selinux-policy-2.1.8-3 in
> enforcing mode on Fedora rawhide.
Hmm...that error message needs to be more informative - only one of
those booleans is undefined (allow_execheap - there is no boolean for
it).
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list