On Fri, 2005-06-17 at 07:40 -0400, Stephen Smalley wrote: > On Fri, 2005-06-17 at 06:58 -0400, Daniel J Walsh wrote: > > Are you sure you have allow_execmod set? > > > > setsebool -P allow_execmod=1 > > Per the avc message, the file was labeled usr_t > (/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1). So unless > you are allowing execmod to all file types (not a good idea), For the targeted policy I think we need do need to allow it for file_type. The original security goal of the targeted policy was that only a few specific services were confined. We expect Fedora server administrators to understand SELinux and read documentation about how to secure their services using it. We cannot expect the same of all of the many other kinds of people using Fedora; in this particular case, it looks to me like Daniel is a free software enthusiast tracking the latest upstream releases of OpenOffice.org. Until we can have some reasonable expectation of ISV software installers labelling data correctly, I don't think we can use execmod/execmem for unconfined_t at all. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
