Re: sellinux line command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Fred J. wrote:


Paul Howarth <paul@xxxxxxxxxxxx> wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote:

Hi
while following the stops to install JRE as per
http://stanton-finley.net/fedora_core_5_installation_notes.html


the instruction which says:
If you have not already done so go to "System" > "Administration" >
"Security Level and Firewall". Enter your root password and click
"ok". On the "SELinux" tab click on "Modify SELinux Policy", click on
"Compatibility" to open it and tick the check box next to "Allow the
use of shared libraries with Text Relocation". Click "ok". Reboot your
machine to implement the new SELinux policy.

I don't have kde or gnome and neither of the following seams to match
what the article is talking about.
# system-config-securitylevel
# system-config-securitylevel-tui


This action sets the allow_execmod SELinux boolean. You could do that
from the command line without using system-config-securitylevel as
follows:

# setsebool -P allow_execmod 1

There is no need to reboot after doing this.

However, this is not the best way of solving the problem, as it relaxes
security much more than necessary. A better way would be to set the
SElinux context type of the java libraries to textrel_shlib_t, which
would have the same effect but only for those particular libraries.

Paul.
does this mean that I should ignore the step in the instruction which talks about "Allow the use of shared libraries with Text Relocation". 
and go ahead with the rest of the steps as listed here
http://stanton-finley.net/fedora_core_5_installation_notes.html under Java and then go back and set the SElinux context type of the java libraries to textrel_shlib_t. ?


Yes, you could do it that way.
However, I think a better way, from both a system maintenance and SELinux point of view, would be to use the JPackage RPMs. You need to build these yourself due to the way Sun license Java, and this may appear at first to be a daunting prospect, but it's not difficult really. See: http://www.city-fan.org/tips/JpackageJava
Installing Java using the JPackage RPMs will get all of the SELinux contexts set correctly "out of the box" and the software will be managed by RPM, just like all the other software on the system. It really is the best way IMHO. 

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux