Archives

Categories

Execmem and SE Linux

Eddy writes about problems getting the game oolite to run under SE Linux [1].

Strangely after I fixed the shared object issue with libffcall1 (as described in my previous post [2]) it appeared to work for me.

Eddy asked how to allow one application to create write and executable memory regions without allowing such access for all programs. This can be done, in the targeted policy the type unconfined_execmem_exec_t triggers a transtion to the domain unconfined_execmem_t which permits the execstack and execmem operations. For example if the program /usr/bin/foo needs such access then the command chcon -t unconfined_execmem_exec_t /usr/bin/foo will change the type and the next time the program is launched from an unconfined session (a user login session, cron job, or daemon which is not constrained) then the change will apply.

Comments are closed.