Please disable the SELinux execstack/relro checks before FC5 final
David Nielsen
gnomeuser at gmail.com
Fri Feb 17 11:28:43 UTC 2006
fre, 17 02 2006 kl. 11:42 +0100, skrev Arjan van de Ven:
> Hi,
>
> I'm hereby asking to disable/remove the SELinux execstack/relro checks
> before FC5 ships. The current state of affairs will only lead to people
> using big-hammer approaches in disabling selinux or big chunks thereof
> (based on "solutions" they find with google), which is worse than not
> having this protection in the first place.
>
> The technology is not finished yet. What I can imagine being useful is:
> 1) having the security config tool do a scan for libs/binaries that are
> not labeled correctly yet and present a dialog to add permissions,
> including an explanation of what the consequences are
> 2) a dbus message on failure so that the desktop can pop up a "<this
> application> tried to use <this insecure library> which is most likely a
> security risk. In case you downloaded this plugin deliberately, make
> sure you want this" or something
>
> As it is right now, it's just one more thing people will just disable
> and hate selinux more for.
I tend to agree, it's a great feature but we need better handling of it
- I assume the plan is to enable it early in the FC6 cycle again then?
- David
--
Obligatory shameless blog plug - the GNOME commentary located at:
www.lovesunix.net/blog
More information about the devel
mailing list