On 10/3/06, David Wagner <[email protected]> wrote:
I wonder whether it is feasible to run with allow_exec{heap,mem,mod,stack}
all set to false, on a real system. Is there any example of a fully
worked out SELinux policy that has these set to false? FC5 has
allow_execheap set to false and all others set to true in its default
SELinux policy,
This is the default setting to minimize breakage. And it has been set
like this (in the FC6 devel cycle) only in the last minute. For most
of the devel cycle all were off. For the distribution as a hole there
is simply too much of a chance for something to break and make the
system appear unusable. This is mostly code in 3rd party apps.
Reason enough, unfortunately, for us to default on the safe side.
But I run my machines with everything turned off. We cleaned up the
code we ship so that this is possible.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]