From: dominick.grift@gmail.com (Dominick Grift) Date: Thu, 19 Sep 2013 09:59:22 +0200 Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel In-Reply-To: <523AA6C3.5000105@ping.de> References: <52384CD9.60604@ping.de> <5239AEFF.6000902@ping.de> <1379534082.16771.19.camel@d30> <1379535027.16771.21.camel@d30> <523AA6C3.5000105@ping.de> Message-ID: <1379577562.16771.30.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2013-09-19 at 09:24 +0200, Andreas Kuckartz wrote: > Dominick Grift: > >> you can allow the execmem issue with audit2allow > > > > err .... there actually is probably a boolean that you can toggle to > > allow it: > > > > allow_execmem > > allow_execstack > > > > This is suggested by audit2allow: > > ----- > #============= unconfined_t ============== > #!!!! This avc can be allowed using one of the these booleans: > # allow_execstack, allow_execmem > > allow unconfined_t self:process execmem; > ----- > > I really hesitate to accept this as a safe resolution of the issue. > Hopefully Mozilla will improve Firefox... You're running as unconfined_t , which is a domain basically designed to be exempt from selinux enforcement. SELinux framework is a very flexible/configurable and you can set it up to enforce almost anything you want. So whatever you have in mind, it you want it; go and get it. Like many of us do. Ive confined basic desktop sessions (actually various times) I actually recorded the whole process of my latest endeavor and put it on your tube ( it is a 100 plus hours worth of screencast ) (youtube.com/domg4721) As for perfect coverage of a basic systems. Yes in a perfect world maybe. Not this world unfortunately. Besides Debian has no active selinux maintainers. Things been stale for quite a while there now. Want to take on the challenge of maintaining SELinux in Debian? > > Cheers, > Andreas