SED flags for executables
In AIX, you can use the sedmgr command to flag executables from the SE mechanism.
Linker has been enhanced to support two new SED related flags to
enable select and exempt options
in the executable's headers. The select flag permits an
executable to request and be part of SED protection during the select mode
of systemwide SED operation, whereas the exempt flag permits
an executable to request for an exemption from the SED mechanism.
These executables are not enabled for execution disable on any of
the process memory areas.
The exemption flag permits a system administrator to monitor the SED mechanism, and evaluate the situation. The system administrator can enable execution on stack and data areas as necessary for the application, with the associated risks understood.
The following table shows how the systemwide settings and file settings affect the SED mode of operation:
| Executable file SED flags | ||||
|---|---|---|---|---|
| System SED mode | request | exempt | system | Setuid-root or setgid-system/security files |
| off | – | – | – | – |
| select | enabled | – | – | – |
| setgidfiles | enabled | – | – | enabled |
| all | enabled | – | enabled | enabled |