On Tue, 2005-02-22 at 14:10 -0500, Colin Walters wrote: > But we have already worked around the gpg (and other) issues by enabling > the unconfined_t execmod/execmem booleans by default, no? I was speaking in the context of strict policy (or more generally, any confined process). Strict policy is where we are seeing the greatest impact of the read-implies-exec logic, as you would expect. > From your patch, it looks like the default is to have it disabled. I do > feel that for Fedora we will want it enabled by default, so providing a > kernel build option for it is useful; the fewer magic things are in the > init scripts, the better. Right, that is what I expected. Security-focused distros may still choose to disable by default, as it does reflect the actual protection that is being applied, but I expect the major distros to enable checkreqprot by default. -- Stephen Smalley <sds@private> National Security Agency
This archive was generated by hypermail 2.1.3 : Tue Feb 22 2005 - 11:36:23 PST