Question about "exec-shield"

[yersinia]

On Wed, Feb 20, 2013 at 12:48 PM, Maurizio Pagani Gmail <
pag.maurizio at gmail.com> wrote:

> Hi there,****
>
> ** **
>
> I’ve a question about “exec-shield”, pratically, in some servers SELinux
> it’s Disabled, but I see that “exec-shield” is enabled:****
>
> ** **
>
> **********************************************
>
> [root at app12trnr TSCM]# sysctl -a|grep -i exec****
>
> kernel.exec-shield = *1*****
>
> [root at app12trnr TSCM]# sestatus****
>
> SELinux status:                 *disabled*
>
> **********************************************
>
> ** **
>
> **-          **Now, the question is: also if SELinux is Disabled, the
> exec-shield works normally? And if the answer is “yes”, with wich criteria
> the exec-shield block an application to write on memory?****
>
> **-          **Because I think that only SELinux can manage “exec-shield”
> for decide with wich criteria can block something to write on memory.
> Because I saw that there is “process object class” with some permissions
> that specify proper “execheap, execstack, and go on”  for manage
> “allow/deny”.
>

IMHO, not so. SELinux supplements Exec Shield by providing policy control
over mmap/mprotect with PROT_EXEC, enabling one to control the ability to
make executable

mappings that are writable.
http://people.redhat.com/drepper/nonselsec.pdf
<http://people.redhat.com/drepper/nonselsec.pdf>

http://people.redhat.com/drepper/selinux-mem.html

Here another good explanation
http://www.redhat.com/archives/fedora-selinux-list/2005-December/msg00062.html

****
>
> ** **
>
> I hope I was clear with the question.****
>
> Thanks in advance,****
>
> ** **
>
> Maurizio Pagani****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130220/9e502db6/attachment.html>