| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a36005b50610041030k1ca54065v90a5f6d54b5b9254@mail.gmail.com>
Date: Wed, 4 Oct 2006 10:30:48 -0700
From: "Ulrich Drepper" <drepper@...il.com>
To: "David Wagner" <daw-usenet@...erner.cs.berkeley.edu>
Cc: linux-kernel@...r.kernel.org
Subject: Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps
On 10/3/06, David Wagner <daw@...berkeley.edu> wrote:
> I wonder whether it is feasible to run with allow_exec{heap,mem,mod,stack}
> all set to false, on a real system. Is there any example of a fully
> worked out SELinux policy that has these set to false? FC5 has
> allow_execheap set to false and all others set to true in its default
> SELinux policy,
This is the default setting to minimize breakage. And it has been set
like this (in the FC6 devel cycle) only in the last minute. For most
of the devel cycle all were off. For the distribution as a hole there
is simply too much of a chance for something to break and make the
system appear unusable. This is mostly code in 3rd party apps.
Reason enough, unfortunately, for us to default on the safe side.
But I run my machines with everything turned off. We cleaned up the
code we ship so that this is possible.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists