Re: [RFC][PATCH] Pass requested protection to security_file_mmap/mprotect hooks

From: Stephen Smalley (sds@private)
Date: Tue Feb 22 2005 - 11:12:01 PST


On Tue, 2005-02-22 at 14:10 -0500, Colin Walters wrote:
> But we have already worked around the gpg (and other) issues by enabling
> the unconfined_t execmod/execmem booleans by default, no?

I was speaking in the context of strict policy (or more generally, any
confined process).  Strict policy is where we are seeing the greatest
impact of the read-implies-exec logic, as you would expect.

> From your patch, it looks like the default is to have it disabled.  I do
> feel that for Fedora we will want it enabled by default, so providing a
> kernel build option for it is useful; the fewer magic things are in the
> init scripts, the better.

Right, that is what I expected.  Security-focused distros may still
choose to disable by default, as it does reflect the actual protection
that is being applied, but I expect the major distros to enable
checkreqprot by default.

-- 
Stephen Smalley <sds@private>
National Security Agency



This archive was generated by hypermail 2.1.3 : Tue Feb 22 2005 - 11:36:23 PST