Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964900AbWJDRaw (ORCPT ); Wed, 4 Oct 2006 13:30:52 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S964906AbWJDRav (ORCPT ); Wed, 4 Oct 2006 13:30:51 -0400 Received: from ug-out-1314.google.com ([66.249.92.171]:17480 "EHLO ug-out-1314.google.com") by vger.kernel.org with ESMTP id S964900AbWJDRav (ORCPT ); Wed, 4 Oct 2006 13:30:51 -0400 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sZ5E9R3ZYhFfnD6fa5DC4MtgHwfRRwhT0zTkShmbhPM7UO+mBc9kROESHSg0UEqEWploLhcsleARRxpowABK7wFNVdqwmcnY0S3Z2JkOSz2OBpLv81zvEGbIlGF8jWdJdO5p1tYj105j+DTl71SUG4335c19VB4QoYrN1sWItCg= Message-ID: Date: Wed, 4 Oct 2006 10:30:48 -0700 From: "Ulrich Drepper" To: "David Wagner" Subject: Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Cc: linux-kernel@vger.kernel.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <45150CD7.4010708@aknet.ru> <4522B7CD.4040206@redhat.com> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1121 Lines: 21 On 10/3/06, David Wagner wrote: > I wonder whether it is feasible to run with allow_exec{heap,mem,mod,stack} > all set to false, on a real system. Is there any example of a fully > worked out SELinux policy that has these set to false? FC5 has > allow_execheap set to false and all others set to true in its default > SELinux policy, This is the default setting to minimize breakage. And it has been set like this (in the FC6 devel cycle) only in the last minute. For most of the devel cycle all were off. For the distribution as a hole there is simply too much of a chance for something to break and make the system appear unusable. This is mostly code in 3rd party apps. Reason enough, unfortunately, for us to default on the safe side. But I run my machines with everything turned off. We cleaned up the code we ship so that this is possible. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/