[Wolves] Opinions wanted on a specific SElinux bool

Adam Sweet adamsweet at gmail.com
Wed Feb 15 11:13:18 UTC 2023

You probably gathered, but this is beyond my SELinux understanding... 
Hope you figured it out.


On 10/02/2023 13:51, Simon Burke via Wolves wrote:
> Hi,
> So this is work related. Today, I'm slowly getting myself into a form of 
> hell with SELinux.policies and semi-complex ksh scripts.
> The bool 'domain_can_mmap_files' currently defaults to off.
> It is my understanding that the intention of this bool is to force 
> validation every time a process accesses a particular file. Which is 
> only useful if we expect context changes.
> Would that mean if we did not expect context changes, then it would be 
> relatively safe to enable this bool? Considering this server will be 
> providing an internet facing service.
> I assume as the initial access of the file is still validated, then we 
> don't have too much to worry about. Unless something malicious is 
> somehow executed that changes the context of a file while it's mapped.
> Other mitigations are in-place like clamd (but that only scans input 
> from end users), and rkhunter periodically runs. There is also 
> inspection done to traffic inbound to the server via network based IDS/IPS.
> Thanks,
> Simon.

More information about the Wolves mailing list