Do you use SELinux

Andras Simon szajmi at gmail.com
Thu Jun 7 21:17:37 UTC 2007 

On 6/7/07, a bc <visual00 at gmail.com> wrote:
> how many of you activate selinux in fedora here? i know it will be more
> security for the computer.

I do, because I'm paranoid, and it's not _that_ intrusive. It's even
got much more friendly in FC7. Example:

Jun  6 01:50:12 localhost kernel: alisp[18003]: segfault at 0000000000000000 rip
 000000356866d631 rsp 00007fffe4e2f750 error 6
Jun  6 01:50:14 localhost setroubleshoot:      SELinux is preventing /usr/local/
acl81b.64/alisp from loading /usr/local/acl81b.64/libacli81b21.so which requires
 text relocation.      For complete SELinux messages. run sealert -l 170863e2-f4
1d-4d78-b57d-7d4a9a1872fa

I do as I'm told, and get and explanation and instructions to let me carry on:

Summary
    SELinux is preventing /usr/local/acl81b.64/alisp from loading
    /usr/local/acl81b.64/libacli81b21.so which requires text relocation.

Detailed Description
    The /usr/local/acl81b.64/alisp application attempted to load
    /usr/local/acl81b.64/libacli81b21.so which requires text relocation.  This
    is a potential security problem. Most libraries do not need this permission.
    Libraries are sometimes coded incorrectly and request this permission.  The
    http://people.redhat.com/drepper/selinux-mem.html web page explains how to
    remove this requirement.  You can configure SELinux temporarily to allow
    /usr/local/acl81b.64/libacli81b21.so to use relocation as a workaround,
    until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /usr/local/acl81b.64/libacli81b21.so to run correctly, you can
    change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
    /usr/local/acl81b.64/libacli81b21.so"

    The following command will allow this access:
    chcon -t textrel_shlib_t /usr/local/acl81b.64/libacli81b21.so

etc.

> is it useful on a desktop computer? why does fedora 7 activate it as
> default?

I'm much more worried about Fedora activating rpc, nfs, sendmail &al by default.

Andras

More information about the fedora-list mailing list