On Fri, Jan 7, 2011 at 10:25 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > We have had a slew of bugzillas on this lately. ÂI think some libraries > in rpmfusion or one of the other Not Fully Open, yum repositories have > some libraries that are marked as requiring execstack. > > We have been closing these with a link to this bugzilla. > > https://bugzilla.redhat.com/show_bug.cgi?id=652297#c5 > > I have hard coded my comment in it on how to look for the libraries. Perhaps RPM/Yum should be modified to refuse to install libraries set to execstack this without some kind of override, or at least a nasty warning. "Warning: Package FOO compromises system security. See here for more information:" This is a usability problem and it needs to be resolved but it is not going to be resolved by closing dozens of bugs and telling people to "setsebool -P allow_execstack 1", nor is resolving the usability problem by disabling the non-executable stack in the default install acceptable. This is especially bad in that some of the triggering libraries are media codecs which get exposed to potentially hostile files from third parties. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
