On Fri, 2005-01-28 at 13:35, Stephen Smalley wrote:
We should also wrap occurrences of execmem with a boolean, but a separate one than the execmod rules. Might also want multiple booleans, e.g. to allow certain programs without allowing all others.
Note: An allow_execmem boolean has been introduced into the latest upstream policy, so I expect it will show up in future Fedora policies. Hence, you may need to enable this boolean, e.g. to allow X to continue to run. In the future, I think we will want multiple such booleans so that we can allow certain domains (like X) to have this permission while prohibiting others (like user domains).