SELinux and NSS [was: Problem with NSS update - Firefox, Evolution]
Jonathan Berry
berryja at gmail.com
Sat Feb 25 06:38:21 UTC 2006
On 2/15/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Jonathan Berry wrote:
> > On 2/13/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > [snip]
> >> Try setsebool -P allow_execstack=1
> >
> > Yes, this allows both Firefox and Evolution to start up normally.
> > What exactly does this do? Doesn't appear to be a very security
> > conscious fix. Does this just mean that NSS needs an executable stack
> > and wasn't given one?
> >
> > Jonathan
> >
> Yes. We are investigating why it needs an executable stack.
>
> Looks like this is an initialization thing. So after the first time you
> can turn it off. Although I think flash player needs it too.
After installing Core 5 Test 3, I am not seeing any more issues with
this. In fact, I had not in my Test 2 (and updates) install after
running the above command, but I was not sure if something got fixed
or if the command just "stuck." It seems the -P writes the setting to
file, but I do not remember completely. I cannot check that since I
cannot seem to get a man page for setsebool, even though it is
mentioned in the selinux man page.
$ man setsebool
No manual entry for setsebool
Is something wrong here? From "man selinux":
SEE ALSO
booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restore-
Jonathan
More information about the fedora-test-list
mailing list