On Wed, 2009-11-25 at 07:26 -0500, Daniel J Walsh wrote: > On 11/25/2009 06:00 AM, Braden McDaniel wrote: > > I develop software on Fedora. Since upgrading to Fedora 12, I now trip > > over this when my program tries to dlopen libjvm.so: > > > > SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer > > from making the program stack executable. > > > > Changing the context of the executable each time it's built isn't > > especially practical; and disabling this check for everything on the > > system isn't especially desirable. Is there a better way to manage > > this? > > > > > I was planning to bring this up for discussion. I could write a rule that says > > unconfined_t->user_home_t->unconfined_execmem_t > unconfined_t->user_tmp_t->unconfined_execmem_t > > > Which would mean that any executables executed from the home dir would execute in execmem_t since we do not know if they are java/mono/or some other lang that requiers execmem/execstack. > > This would allow us to stop all executables that are installed on the system to require correct labeling. > > > What do you think? Sounds reasonable. But mine is not an expert opinion. -- Braden McDaniel <braden@xxxxxxxxxxxxx> -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
