{"description": "By default, the SELinux boolean <tt>deny_execmem</tt> is disabled.\nThis setting should be configured to <sub idref=\"var_deny_execmem\" />.\n<br/>\nTo set the <code>deny_execmem</code> SELinux boolean, run the following command:\n<pre>$ sudo setsebool -P deny_execmem <sub idref=\"var_deny_execmem\" /></pre>", "rationale": "Allowing user domain applications to map a memory region as both writable and\nexecutable makes them more susceptible to data execution attacks.", "severity": "medium", "references": {"anssi": ["R48"]}, "control_references": {"anssi": ["R48"]}, "components": [], "identifiers": {}, "ocil_clause": "deny_execmem is not set as expected", "ocil": "\nRun the following command to get the current configured value for <code>deny_execmem</code>\nSELinux boolean:\n<pre>$ getsebool deny_execmem</pre>\nThe expected cofiguration is <sub idref=\"var_deny_execmem\" />.\n\"on\" means true, and \"off\" means false", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule doesn't come with a remediation, as enabling this SELinux boolean can cause\napplications to malfunction, for example Graphical login managers and Firefox."}, {"functionality": "Proper function and stability should be assessed before applying enabling the SELinux\nboolean in production systems."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {"check-import": "stdout", "check-export": ["var_deny_execmem=xccdf_org.ssgproject.content_value_var_deny_execmem"], "platform": ["multi_platform_all"], "environment": "any", "filename": "sebool_deny_execmem.sh", "relative_path": "ubuntu2204/checks/sce/sebool_deny_execmem.sh"}, "inherited_platforms": ["system_with_kernel", "selinux or bootc or osbuild"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["bootc_or_osbuild_or_selinux", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure the deny_execmem SELinux Boolean", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml", "template": {"name": "sebool", "vars": {"seboolid": "deny_execmem"}, "backends": {"bash": "off", "ansible": "off"}}}