sellinux line command

Fred J. phddas at yahoo.com
Tue Oct 3 17:59:03 UTC 2006 


Paul Howarth <paul at city-fan.org> wrote: Fred J. wrote:
> 
> Paul Howarth 
 wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote:
>> Hi
>> while following the stops to install JRE as per
>> http://stanton-finley.net/fedora_core_5_installation_notes.html
>>
>>
>> the instruction which says:
>> If you have not already done so go to "System" > "Administration" >
>> "Security Level and Firewall". Enter your root password and click
>> "ok". On the "SELinux" tab click on "Modify SELinux Policy", click on
>> "Compatibility" to open it and tick the check box next to "Allow the
>> use of shared libraries with Text Relocation". Click "ok". Reboot your
>> machine to implement the new SELinux policy.
>>
>> I don't have kde or gnome and neither of the following seams to match
>> what the article is talking about.
>> # system-config-securitylevel
>> # system-config-securitylevel-tui
> 
> This action sets the allow_execmod SELinux boolean. You could do that
> from the command line without using system-config-securitylevel as
> follows:
> 
> # setsebool -P allow_execmod 1
> 
> There is no need to reboot after doing this.
> 
> However, this is not the best way of solving the problem, as it relaxes
> security much more than necessary. A better way would be to set the
> SElinux context type of the java libraries to textrel_shlib_t, which
> would have the same effect but only for those particular libraries.
> 
> Paul.
> 
> does this mean that I should ignore the step in the instruction which talks about 
> "Allow the use of shared libraries with Text Relocation".
> and go ahead with the rest of the steps as listed here
> http://stanton-finley.net/fedora_core_5_installation_notes.html under Java and then go back and set the SElinux context type of the java libraries to textrel_shlib_t. ?

Yes, you could do it that way.

However, I think a better way, from both a system maintenance and 
SELinux point of view, would be to use the JPackage RPMs. You need to 
build these yourself due to the way Sun license Java, and this may 
appear at first to be a daunting prospect, but it's not difficult 
really. See: http://www.city-fan.org/tips/JpackageJava

Installing Java using the JPackage RPMs will get all of the SELinux 
contexts set correctly "out of the box" and the software will be managed 
by RPM, just like all the other software on the system. It really is the 
best way IMHO.

Paul.

Paul
thanks alot
after going through the link I now have it.
[fred at localhost i586]$ java -version
java version "1.5.0_09"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01)
Java HotSpot(TM) Client VM (build 1.5.0_09-b01, mixed mode, sharing)
[fred at localhost i586]$ cd /usr/lib/mozilla/plugins/
[fred at localhost plugins]$ ls
[fred at localhost plugins]$ ls -a
.  ..
[fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so .
Password:
[fred at localhost plugins]$ ls -l
total 4
lrwxrwxrwx 1 root root 62 Oct  4 03:46 libjavaplugin_oji.so -> ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so

however when I restart firefox, and go to a suitable page, it still asks to install a plugin JRE.

 		
---------------------------------
Do you Yahoo!?
 Everyone is raving about the  all-new Yahoo! Mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20061003/ab6a0ac1/attachment.htm>

More information about the fedora-selinux-list mailing list