> Another question is what domains are in view here, e.g. all domains > (such that allow_execstack permits execstack to every process rather > than just unconfined processes) or just unconfined_t (so that confined > daemons remain protected even if allow_execstack is enabled)? right now I fear the only sane answer is "set all to permissive behavior"; the minimum for fc5 would be everything that can do plugins of any kind, or uses libraries that tend to get replaced (3D ones ;). But that ends up being a whole whopping lot... I really wish the user notification/config thing existed, but that will take time to get right for sure... -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
