Memory protection and system-config-securitylevel

Kamil J. Dudek dj-oko at o2.pl
Sat May 5 19:38:24 UTC 2007


Dnia 04-05-2007, pią o godzinie 11:30 -0400, Daniel J Walsh napisał(a):
> Kamil wrote:
> > Hello everybody
> > Forgive me, if this subject has already been mentioned here, but I
> > simply couldn't find answer anywhere.
> >
> > Few days ago I started system-config-securitylevel. I found something
> > interesting in "Modify SELinux policies". A memory protection - there
> > are four options in there. Two of them are enabled, with a description
> > that if having this enabled is required by some program, it should be
> > reported to bugzilla. I didn't do it, because of very strange effects
> > after turning it off.
> >
> > Disabling 
> > "Allow all executable files to map memory areas as executable and
> > readable, which is dangerous and such program should be reported to
> > bugzilla"
> > and
> > "Allow all executable files to mark stack as executable.That shouldn't
> > ever be required"
> > option(translation from polish) made system act very strange. First
> > thing I've observed was that Kobo game stopped working. GMPC stopped
> > playing. Also stuff outside of Fedora like Java and NVidia drivers
> > failed. So I should have "reported to bugzilla" to many application to
> > make it have any sense. Such bug report would be only annoying but
> > according to system-config-securitylevel...
> >
> >   
> Java Applications can be labeled java_exec_t (chcon -t java_exec_t 
> PATHTOAPP) Please tell me the path of these apps, so I can set them to 
> default.  Which will allow them to have this priv.  NVidia should be 
> told to fix their drivers. (Or open source them,  their choice :^))
> 
> These memory checks are described here
> SELinux Memory Protection Tests 
> <http://people.redhat.com/%7Edrepper/selinux-mem.html>
> 
> The goal is to move towards, eliminating Writable/Executable memory to 
> help protect systems.
> For now if you can run with these checked off, you are more secure.   We 
> realize that lots of apps are either broken or not labeled correctly.  
> So we need to get the app vendors to fix their apps and to fix the 
> labeling when it is wrong in SELinux.

I have enabled only "Allow all executable files to mark stack as
executable.That shouldn't ever be required". And everything except
external NVidia drivers seems to work fine. The nv driver doesn't make
any surprises. But when I disable even that, programs like Kobo Deluxe
and glxgears return "Permission denied" error. Should I report this
programs to Bugzilla or ignore that hint?
> 
> 
> > What is it with these two options? To make everything work properly they
> > should be enabled, but their description that they should be disabled is
> > confusing.
> >
> > Thank you and forgive me any mess I've done by this post
> >
> >   
> 
-- 
---
Pozdrawiam - Kamil
xmpp:wielkipiec at gmail  com




More information about the selinux mailing list