Re: request for review of httpd-related Boolean definitions

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: m <maximilianbianco@gmail.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: request for review of httpd-related Boolean definitions
Date: Mon, 06 Apr 2009 13:53:34 -0400	[thread overview]
Message-ID: <49DA419E.8030705@redhat.com> (raw)
In-Reply-To: <49D22BEA.8020403@gmail.com>

<snip>

>>> o httpd_execmem
>>
>> tunable_policy(`httpd_execmem',`
>> allow httpd_t self:process { execmem execstack };
>> allow httpd_sys_script_t self:process { execmem execstack };
>> allow httpd_suexec_t self:process { execmem execstack };
>> ')
>> Note that is also allows execstack.
>> Note that it allows it also for httpd_sys_script_t
>> Note that it *does not* allow it for httpd_user_script_t ( or any other
>> templated httpd script)
>
> I think here he is looking to understand what exactly execmem allows. My
> understanding is that it allows memory to be both writeable and
> executable which is a no no but often required because of some
> questionable programming practices. Please correct me if I am wrong but
> if the above is correct then this allows the webserver to make memory
> both writeable and executable, something that should be avoided.
>
Yes correct.  Turning on this boolean will allow apache to execute 
programs that require writable/executable memory.  Java/Mono type apps 
could require this, but it should seldom be set.   Turning this on 
eliminates some level of buffer overflow protection.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2009-04-06 17:53 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-03-31  5:16 request for review of httpd-related Boolean definitions Scott Radvan
2009-03-31 10:30 ` Dominick Grift
2009-03-31 14:42   ` m
2009-04-06 17:53     ` Daniel J Walsh [this message]
2009-04-06 17:55   ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49DA419E.8030705@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=maximilianbianco@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.