On 11/25/2009 06:00 AM, Braden McDaniel wrote:
I develop software on Fedora. Since upgrading to Fedora 12, I now trip over this when my program tries to dlopen libjvm.so:
SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer from making the program stack executable.
Changing the context of the executable each time it's built isn't especially practical; and disabling this check for everything on the system isn't especially desirable. Is there a better way to manage this?
I was planning to bring this up for discussion. I could write a rule that says
unconfined_t->user_home_t->unconfined_execmem_t unconfined_t->user_tmp_t->unconfined_execmem_t
Which would mean that any executables executed from the home dir would execute in execmem_t since we do not know if they are java/mono/or some other lang that requiers execmem/execstack.
This would allow us to stop all executables that are installed on the system to require correct labeling.
What do you think?