I think Kostas makes a very good point wrt Critical RH advisories.
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Kostas Georgiou
> Sent: 13 August 2009 13:30
> To: [log in to unmask]
> Subject: Re: Request for sites to move WNs to SL5
>
> On Thu, Aug 13, 2009 at 12:27:26PM +0100, Gordon, John (STFC,RAL,ESC)
> wrote:
>
> > It is only ATLAS who require allow execheap so sites that are
unhappy
> > with allowing this have the option to leave SL4 resources running
for
> > ATLAS and letting the others use SL5. Writing this prompts the
> thought -
> > does ATLAS code work in SL4 with SELinux forbidding execheap?
> Kostas?
> > You imply that you already disable this.
>
> User code runs under the unconfined domain (in the default installs)
so
> SELinux does very little there, for EL4 an ececutable heap was allowed
> for user code so ATLAS was not affected (need to check if it was
> disabled for confined processes or not), for EL5 SELinux disables
> executable heap globally. "Broken" applications can be labeled with
> unconfined_execmem_exec_t to bypass the protection (labels don't
> survive
> nfs so not much help to us) or you can allow it globally by setting
> allow_execheap=1.
>
> The issue here is that if allow_execheap=1 affects confined processes
a
> security problem that RedHat has classified as not critical and treats
> it accordingly because it needs an executable heap is now critical for
> us.
>
> Kostas
--
Scanned by iCritical.
|