allow_execstack
Daniel J Walsh
dwalsh at redhat.com
Sat Jun 6 13:48:00 UTC 2009
On 06/06/2009 09:09 AM, "Stanisław T. Findeisen" wrote:
> Look what I've found regarding stack execution:
>
> =======================================================================
> execstack :: As the name suggests, this error is raised if a program
> tries to make its stack (or parts thereof) executable with an mprotect
> call. This should never, ever be necessary. Stack memory is not
> executable on most OSes these days and this won't change. Executable
> stack memory is one of the biggest security problems. An execstack error
> might in fact be most likely raised by malicious code.
>
> http://people.redhat.com/drepper/selinux-mem.html
> =======================================================================
>
> $ cat /selinux/booleans/allow_execstack
> 1 1
> $ cat /etc/redhat-release
> Fedora release 10 (Cambridge)
>
> I haven't changed this setting manually since system install so I guess
> this is a bug in the Fedora policy?
>
> BTW what does the 1st "1", and what does the 2nd "1" in
> /selinux/booleans/allow_execstack stand for?
>
> Thanks!
> STF
>
> =======================================================================
> http://eisenbits.homelinux.net/~stf/
> OpenPGP: DFD9 0146 3794 9CF6 17EA D63F DBF5 8AA8 3B31 FE8A
> =======================================================================
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Allow execstack was turned on by default in F10.
Note:
allow_execstack only affects unconfined domains. All confined domains
are not allowed to execstack, even if the allow_execstack is set. The
boolean should have been named unconfined_execstack.
More information about the selinux
mailing list