On Wed, 2009-11-25 at 07:26 -0500, Daniel J Walsh wrote:
On 11/25/2009 06:00 AM, Braden McDaniel wrote:
> I develop software on Fedora. Since upgrading to Fedora 12, I now trip
> over this when my program tries to dlopen libjvm.so:
>
> SELinux is preventing
/var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer
> from making the program stack executable.
>
> Changing the context of the executable each time it's built isn't
> especially practical; and disabling this check for everything on the
> system isn't especially desirable. Is there a better way to manage
> this?
>
>
I was planning to bring this up for discussion. I could write a rule that says
unconfined_t->user_home_t->unconfined_execmem_t
unconfined_t->user_tmp_t->unconfined_execmem_t
Which would mean that any executables executed from the home dir would execute in
execmem_t since we do not know if they are java/mono/or some other lang that requiers
execmem/execstack.
This would allow us to stop all executables that are installed on the system to require
correct labeling.
What do you think?
Sounds reasonable. But mine is not an expert opinion.
--
Braden McDaniel <braden(a)endoframe.com>