Hi,
just checked to freshly installed Fedora 12 machines, and found allow_execmem --> on allow_execstack --> on Is there a reason for this, as the comment in semanage strongly discourages it? Or did I install a package that switches those booleans?
Klaus
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found allow_execmem --> on allow_execstack --> on Is there a reason for this, as the comment in semanage strongly discourages it? Or did I install a package that switches those booleans?
I am not sure about the official reason but i think it is true that atleast execmem by unconfined_t is allowed by default. If you so desire you can switch it off.
Personally i can imagine why these permissions are allowed by default for unconfined_t. unconfined_t is designed to be unconfined, thus in that theory execmem, execmod. execstack and execheap would be allowed by unrestricted processes.
If you want to protect/restrict user processes, than consider defaulting to restricted user domains instead of unrestricted user domains. (just a general advise)
Klaus
--
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found allow_execmem --> on allow_execstack --> on Is there a reason for this, as the comment in semanage strongly discourages it? Or did I install a package that switches those booleans?
By default SELinux is pretty permissive (much is allowed). However you can very much tighten the configuration.
A few things to do:
map all your Linux logins to confined SELinux users disable the unconfined module lock-down your booleans ...and much more...
Klaus
--
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hello Klaus,
Personally I'd suggest turning off exec (mem, heap, stack); mapping your user role to staff_u and then disallowing unconfined logins; turning on secure_mode and secure_mode_policyload. setsebool -P <name_of_boolean> <value> should take care of that last from single user mode.
---------- Forwarded message ---------- From: Dominick Grift domg472@gmail.com Date: Sun, Dec 27, 2009 at 12:24 PM Subject: Re: allow_exec{mem,stack} default to on? To: fedora-selinux-list@redhat.com
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found allow_execmem --> on allow_execstack --> on Is there a reason for this, as the comment in semanage strongly discourages it? Or did I install a package that switches those booleans?
By default SELinux is pretty permissive (much is allowed). However you can very much tighten the configuration.
A few things to do:
map all your Linux logins to confined SELinux users disable the unconfined module lock-down your booleans ...and much more...
Klaus
--
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi,
thanks for all your answers. It's correct, if I wanted to go the secure road, I should map all users to some (more specific) role than is the default. Considering the situation I think I can stay with the default rights, as they are probably layed out fine (for default use, i.e. what I need :-) ) In the meantime, I found some boinc jobs, that need allow_execmem. Guess I can live with that, and will come back again when I start my first policies or refinements of some, I do have some on target, already, so beware ;-)
Klaus
On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
Hello Klaus,
Personally I'd suggest turning off exec (mem, heap, stack); mapping your user role to staff_u and then disallowing unconfined logins; turning on secure_mode and secure_mode_policyload. setsebool -P <name_of_boolean> <value> should take care of that last from single user mode.
---------- Forwarded message ---------- From: Dominick Grift domg472@gmail.com Date: Sun, Dec 27, 2009 at 12:24 PM Subject: Re: allow_exec{mem,stack} default to on? To: fedora-selinux-list@redhat.com
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found allow_execmem --> on allow_execstack --> on Is there a reason for this, as the comment in semanage strongly discourages it? Or did I install a package that switches those
booleans?
By default SELinux is pretty permissive (much is allowed). However you can very much tighten the configuration.
...
map all your Linux logins to confined SELinux users disable the unconfined module lock-down your booleans ...and much more...
On 12/27/2009 01:43 PM, Klaus Lichtenwalder wrote:
Hi,
thanks for all your answers. It's correct, if I wanted to go the secure road, I should map all users to some (more specific) role than is the default. Considering the situation I think I can stay with the default rights, as they are probably layed out fine (for default use, i.e. what I need :-) ) In the meantime, I found some boinc jobs, that need allow_execmem. Guess I can live with that, and will come back again when I start my first policies or refinements of some, I do have some on target, already, so beware ;-)
Klaus
On Sun, 2009-12-27 at 13:11 -0500, Ryan Gandy wrote:
Hello Klaus,
Personally I'd suggest turning off exec (mem, heap, stack); mapping your user role to staff_u and then disallowing unconfined logins; turning on secure_mode and secure_mode_policyload. setsebool -P <name_of_boolean> <value> should take care of that last from single user mode.
---------- Forwarded message ---------- From: Dominick Grift domg472@gmail.com Date: Sun, Dec 27, 2009 at 12:24 PM Subject: Re: allow_exec{mem,stack} default to on? To: fedora-selinux-list@redhat.com
On Sun, Dec 27, 2009 at 01:48:03PM +0100, Klaus Lichtenwalder wrote:
Hi,
just checked to freshly installed Fedora 12 machines, and found allow_execmem --> on allow_execstack --> on Is there a reason for this, as the comment in semanage strongly discourages it? Or did I install a package that switches those
booleans?
By default SELinux is pretty permissive (much is allowed). However you can very much tighten the configuration.
..
map all your Linux logins to confined SELinux users disable the unconfined module lock-down your booleans ...and much more...
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have tried many times to turn off the allow_execmem and allow_execstack booleans. The problem is there is too much badly written code and too many unknown executables out there that require execmem and execstack. Including stuff that is downloaded to the homedir.
allow_execmem was on by default in F12 and allow_execstack has been turned on by default in newer policies, although this will only happen on fresh installs with the new policy. Updates NEVER change boolean settings.
I would advise people who know what they are doing to turn off this booleans, but turning them on by default inflicts too much pain.
allow_execmod and allow_execheap are off by default.
These booleans only effect unconfined domains. So evey confined domain will enforce the execmem and execstack access control regardless of their settings.
Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh:
allow_execmem was on by default in F12 and allow_execstack has been turned on by default in newer policies, although this will only happen on fresh installs with the new policy. Updates NEVER change boolean settings.
I did an install with the netintall CD, so kind of fresh install with the new policy
I would advise people who know what they are doing to turn off this booleans, but turning them on by default inflicts too much pain.
allow_execmod and allow_execheap are off by default.
These booleans only effect unconfined domains. So evey confined domain will enforce the execmem and execstack access control regardless of their settings.
At the moment I have allow_execheap --> off allow_execmem --> on allow_execmod --> off allow_execstack --> off
As the boinc_client needs execmem. Guess I'll file a bug with them, as I'm more comfortable with this off...
Which brings me to the point, I should check whether the *service* boinc (which I don't use) is running unconfined...
Interestingly I have another application, for homebanking, that's throwing the famous mmap_zero violation. Which I still don't allow and the application doesn't care... Probably lot's of bugs in their code and code pathes that aren't too important :-)
Klaus
On 12/30/2009 09:52 AM, Klaus Lichtenwalder wrote:
Am Mittwoch, den 30.12.2009, 09:23 -0500 schrieb Daniel J Walsh:
allow_execmem was on by default in F12 and allow_execstack has been turned on by default in newer policies, although this will only happen on fresh installs with the new policy. Updates NEVER change boolean settings.
I did an install with the netintall CD, so kind of fresh install with the new policy
I would advise people who know what they are doing to turn off this booleans, but turning them on by default inflicts too much pain.
allow_execmod and allow_execheap are off by default.
These booleans only effect unconfined domains. So evey confined domain will enforce the execmem and execstack access control regardless of their settings.
At the moment I have allow_execheap --> off allow_execmem --> on allow_execmod --> off allow_execstack --> off
As the boinc_client needs execmem. Guess I'll file a bug with them, as I'm more comfortable with this off...
Which brings me to the point, I should check whether the *service* boinc (which I don't use) is running unconfined...
Interestingly I have another application, for homebanking, that's throwing the famous mmap_zero violation. Which I still don't allow and the application doesn't care... Probably lot's of bugs in their code and code pathes that aren't too important :-)
Is this a wine application? Wine seems to throw this error even though it only needs it for very old DOS type apps.
Klaus
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Am Donnerstag, den 31.12.2009, 09:11 -0500 schrieb Daniel J Walsh:
On 12/30/2009 09:52 AM, Klaus Lichtenwalder wrote:
[...]
Interestingly I have another application, for homebanking, that's throwing the famous mmap_zero violation. Which I still don't allow and the application doesn't care... Probably lot's of bugs in their code and code pathes that aren't too important :-)
Is this a wine application? Wine seems to throw this error even though it only needs it for very old DOS type apps.
No, it is indeed a native linux binary, but the Windows heredity shows. It does have some minor issues with windowing though, but otherwise ok. And I have lots of data in it ...
Klaus
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Klaus Lichtenwalder -
Ryan Anthony