FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 11-25-2009, 10:00 AM
Braden McDaniel
 
Default execstack fun
I develop software on Fedora. Since upgrading to Fedora 12, I now trip
over this when my program tries to dlopen libjvm.so:

SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer
from making the program stack executable.

Changing the context of the executable each time it's built isn't
especially practical; and disabling this check for everything on the
system isn't especially desirable. Is there a better way to manage
this?


--
Braden McDaniel <braden@endoframe.com>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-25-2009, 11:26 AM
Daniel J Walsh
 
Default execstack fun
On 11/25/2009 06:00 AM, Braden McDaniel wrote:
> I develop software on Fedora. Since upgrading to Fedora 12, I now trip
> over this when my program tries to dlopen libjvm.so:
>
> SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer
> from making the program stack executable.
>
> Changing the context of the executable each time it's built isn't
> especially practical; and disabling this check for everything on the
> system isn't especially desirable. Is there a better way to manage
> this?
>
>
I was planning to bring this up for discussion. I could write a rule that says

unconfined_t->user_home_t->unconfined_execmem_t
unconfined_t->user_tmp_t->unconfined_execmem_t


Which would mean that any executables executed from the home dir would execute in execmem_t since we do not know if they are java/mono/or some other lang that requiers execmem/execstack.

This would allow us to stop all executables that are installed on the system to require correct labeling.


What do you think?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-25-2009, 03:25 PM
"Jason L Tibbitts III"
 
Default execstack fun
>>>>> "DJW" == Daniel J Walsh <dwalsh@redhat.com> writes:

DJW> Which would mean that any executables executed from the home dir
DJW> would execute in execmem_t since we do not know if they are
DJW> java/mono/or some other lang that requiers execmem/execstack.

How would this work for home directories on NFS? (Actually I've always
been unsure of how NFS home directories are supposed to be handled,
especially when they're automounted and may be accessed by multiple
different operating systems.)

- J<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-25-2009, 04:23 PM
Braden McDaniel
 
Default execstack fun
On Wed, 2009-11-25 at 07:26 -0500, Daniel J Walsh wrote:
> On 11/25/2009 06:00 AM, Braden McDaniel wrote:
> > I develop software on Fedora. Since upgrading to Fedora 12, I now trip
> > over this when my program tries to dlopen libjvm.so:
> >
> > SELinux is preventing /var/user/braden/openvrml-dbg/examples/.libs/lt-sdl-viewer
> > from making the program stack executable.
> >
> > Changing the context of the executable each time it's built isn't
> > especially practical; and disabling this check for everything on the
> > system isn't especially desirable. Is there a better way to manage
> > this?
> >
> >
> I was planning to bring this up for discussion. I could write a rule that says
>
> unconfined_t->user_home_t->unconfined_execmem_t
> unconfined_t->user_tmp_t->unconfined_execmem_t
>
>
> Which would mean that any executables executed from the home dir would execute in execmem_t since we do not know if they are java/mono/or some other lang that requiers execmem/execstack.
>
> This would allow us to stop all executables that are installed on the system to require correct labeling.
>
>
> What do you think?

Sounds reasonable. But mine is not an expert opinion.


--
Braden McDaniel <braden@endoframe.com>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-25-2009, 06:13 PM
Daniel J Walsh
 
Default execstack fun
On 11/25/2009 11:25 AM, Jason L Tibbitts III wrote:
>>>>>> "DJW" == Daniel J Walsh <dwalsh@redhat.com> writes:
>
> DJW> Which would mean that any executables executed from the home dir
> DJW> would execute in execmem_t since we do not know if they are
> DJW> java/mono/or some other lang that requiers execmem/execstack.
>
> How would this work for home directories on NFS? (Actually I've always
> been unsure of how NFS home directories are supposed to be handled,
> especially when they're automounted and may be accessed by multiple
> different operating systems.)
>
> - J<
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
In the case of nfs homedir, the homedir is labeled nfs_t,
so the transition would have to be

unconfined_t->nfs_t->unconfined_execmem_t


unconfined_t->cifs_t->unconfined_execmem_t

for samba home dirs.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:20 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -