Re: Still getting random execute permissions on shared libraries.

[petre rodan <kaiowas@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 1412 bytes --]

Valdis.Kletnieks@vt.edu wrote:
> On Fri, 26 Nov 2004 21:49:22 +0200, petre rodan said:
>>I made a patch to the kernel that reverts to the old behaviour. no more execs on random files.
>>I find that changing the policy to allow those execs is not a valid solution.
> 
> Why is fixing the policy not a valid solution?

I happen to use some proprietary software (think antiviruses, file integrity checkers, audit programs) that would have needed massive changes in the policy because of those execs.
it might take some time until those will be recompiled with a newer toolchain.

>>would it be feasible to send upstream a patch that would remove the 'exec on 
>>read' behaviour if the kernel has selinux capabilities?
> A Very Bad Idea.  Basically, you're disabling a good and reasonable security
> measure entirely, just because you can't get it to work with a *legacy* binary
> and another security measure..

those security measures were added somewhere in the rc stage of 2.6.9, a kernel that was badly needed because of the flaws it was fixing.
I needed a way to replicate the behavior of older kernels in order to keep the sanity of the system, so that patch seemed a quick solution (call it as you wish).
I agree now that it shouldn't be sent upstream, but if someone feels the need to solve <subj>, then it patching time :)

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]