fre, 17 02 2006 kl. 11:42 +0100, skrev Arjan van de Ven: > Hi, > > I'm hereby asking to disable/remove the SELinux execstack/relro checks > before FC5 ships. The current state of affairs will only lead to people > using big-hammer approaches in disabling selinux or big chunks thereof > (based on "solutions" they find with google), which is worse than not > having this protection in the first place. > > The technology is not finished yet. What I can imagine being useful is: > 1) having the security config tool do a scan for libs/binaries that are > not labeled correctly yet and present a dialog to add permissions, > including an explanation of what the consequences are > 2) a dbus message on failure so that the desktop can pop up a "<this > application> tried to use <this insecure library> which is most likely a > security risk. In case you downloaded this plugin deliberately, make > sure you want this" or something > > As it is right now, it's just one more thing people will just disable > and hate selinux more for. I tend to agree, it's a great feature but we need better handling of it - I assume the plan is to enable it early in the FC6 cycle again then? - David -- Obligatory shameless blog plug - the GNOME commentary located at: www.lovesunix.net/blog -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
