On Tue, 2005-02-22 at 13:02 -0500, Stephen Smalley wrote: >Are there any >other changes to these two hooks that should be made at the same time? One thing I wonder is if there's any other issues tied to legacy binaries that would possibly make sense to control via this interface. checkreqprot is a fairly specific name; You had suggested legacycompat earlier? >Should the default value for /selinux/checkreqprot be configurable? I think having e.g. a sysctl would be nice. For Fedora we will probably want it enabled by default to maximize compatibility. But with the new execmod/execmem bits, it would be nice to add an entry to the SELinux FAQ or a Fedora security guide about these so users who don't have issues with legacy binaries can toggle these bits and get the stronger protection.
This archive was generated by hypermail 2.1.3 : Tue Feb 22 2005 - 11:21:04 PST