Configure the deny_execmem SELinux Boolean
An XCCDF Rule
Description
By default, the SELinux boolean deny_execmem is disabled.
This setting should be configured to
To set the deny_execmem SELinux boolean, run the following command:
$ sudo setsebool -P deny_execmem
warning alert: Warning
This rule doesn't come with a remediation, as enabling this SELinux boolean can cause
applications to malfunction, for example Graphical login managers and Firefox.
warning alert: Functionality Warning
Proper function and stability should be assessed before applying enabling the SELinux
boolean in production systems.
Rationale
Allowing user domain applications to map a memory region as both writable and executable makes them more susceptible to data execution attacks.
- ID
- xccdf_org.ssgproject.content_rule_sebool_deny_execmem
- Severity
- Medium
- References
- Updated