On Wed, 2009-11-25 at 07:26 -0500, Daniel J Walsh wrote:
On 11/25/2009 06:00 AM, Braden McDaniel wrote:
I develop software on Fedora. Since upgrading to Fedora 12, I now trip over this when my program tries to dlopen libjvm.so:
SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer from making the program stack executable.
Changing the context of the executable each time it's built isn't especially practical; and disabling this check for everything on the system isn't especially desirable. Is there a better way to manage this?
I was planning to bring this up for discussion. I could write a rule that says
unconfined_t->user_home_t->unconfined_execmem_t unconfined_t->user_tmp_t->unconfined_execmem_t
Which would mean that any executables executed from the home dir would execute in execmem_t since we do not know if they are java/mono/or some other lang that requiers execmem/execstack.
This would allow us to stop all executables that are installed on the system to require correct labeling.
What do you think?
Sounds reasonable. But mine is not an expert opinion.