execstack fun

[Braden McDaniel]

On Wed, 2009-11-25 at 07:26 -0500, Daniel J Walsh wrote: 
> On 11/25/2009 06:00 AM, Braden McDaniel wrote:
> > I develop software on Fedora.  Since upgrading to Fedora 12, I now trip
> > over this when my program tries to dlopen libjvm.so: 
> > 
> >         SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer
> >         from making the program stack executable.
> > 
> > Changing the context of the executable each time it's built isn't
> > especially practical; and disabling this check for everything on the
> > system isn't especially desirable.  Is there a better way to manage
> > this?
> > 
> > 
> I was planning to bring this up for discussion.  I could write a rule that says
> 
> unconfined_t->user_home_t->unconfined_execmem_t
> unconfined_t->user_tmp_t->unconfined_execmem_t
> 
> 
> Which would mean that any executables executed from the home dir would execute in execmem_t since we do not know if they are java/mono/or some other lang that requiers execmem/execstack.
> 
> This would allow us to stop all executables that are installed on the system to require correct labeling.
> 
> 
> What do you think?

Sounds reasonable.  But mine is not an expert opinion.


-- 
Braden McDaniel <braden at endoframe.com>