I develop software on Fedora. Since upgrading to Fedora 12, I now trip over this when my program tries to dlopen libjvm.so:
SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer from making the program stack executable.
Changing the context of the executable each time it's built isn't especially practical; and disabling this check for everything on the system isn't especially desirable. Is there a better way to manage this?
On 11/25/2009 06:00 AM, Braden McDaniel wrote:
I develop software on Fedora. Since upgrading to Fedora 12, I now trip over this when my program tries to dlopen libjvm.so:
SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer from making the program stack executable.
Changing the context of the executable each time it's built isn't especially practical; and disabling this check for everything on the system isn't especially desirable. Is there a better way to manage this?
I was planning to bring this up for discussion. I could write a rule that says
unconfined_t->user_home_t->unconfined_execmem_t unconfined_t->user_tmp_t->unconfined_execmem_t
Which would mean that any executables executed from the home dir would execute in execmem_t since we do not know if they are java/mono/or some other lang that requiers execmem/execstack.
This would allow us to stop all executables that are installed on the system to require correct labeling.
What do you think?
"DJW" == Daniel J Walsh dwalsh@redhat.com writes:
DJW> Which would mean that any executables executed from the home dir DJW> would execute in execmem_t since we do not know if they are DJW> java/mono/or some other lang that requiers execmem/execstack.
How would this work for home directories on NFS? (Actually I've always been unsure of how NFS home directories are supposed to be handled, especially when they're automounted and may be accessed by multiple different operating systems.)
- J<
On 11/25/2009 11:25 AM, Jason L Tibbitts III wrote:
"DJW" == Daniel J Walsh dwalsh@redhat.com writes:
DJW> Which would mean that any executables executed from the home dir DJW> would execute in execmem_t since we do not know if they are DJW> java/mono/or some other lang that requiers execmem/execstack.
How would this work for home directories on NFS? (Actually I've always been unsure of how NFS home directories are supposed to be handled, especially when they're automounted and may be accessed by multiple different operating systems.)
- J<
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
In the case of nfs homedir, the homedir is labeled nfs_t, so the transition would have to be
unconfined_t->nfs_t->unconfined_execmem_t
unconfined_t->cifs_t->unconfined_execmem_t
for samba home dirs.
On Wed, 2009-11-25 at 07:26 -0500, Daniel J Walsh wrote:
On 11/25/2009 06:00 AM, Braden McDaniel wrote:
I develop software on Fedora. Since upgrading to Fedora 12, I now trip over this when my program tries to dlopen libjvm.so:
SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer from making the program stack executable.
Changing the context of the executable each time it's built isn't especially practical; and disabling this check for everything on the system isn't especially desirable. Is there a better way to manage this?
I was planning to bring this up for discussion. I could write a rule that says
unconfined_t->user_home_t->unconfined_execmem_t unconfined_t->user_tmp_t->unconfined_execmem_t
Which would mean that any executables executed from the home dir would execute in execmem_t since we do not know if they are java/mono/or some other lang that requiers execmem/execstack.
This would allow us to stop all executables that are installed on the system to require correct labeling.
What do you think?
Sounds reasonable. But mine is not an expert opinion.
selinux@lists.fedoraproject.org