New Policy Doesn't Fix It
Colin Walters
walters at redhat.com
Fri Jun 17 11:52:12 UTC 2005
On Fri, 2005-06-17 at 07:40 -0400, Stephen Smalley wrote:
> On Fri, 2005-06-17 at 06:58 -0400, Daniel J Walsh wrote:
> > Are you sure you have allow_execmod set?
> >
> > setsebool -P allow_execmod=1
>
> Per the avc message, the file was labeled usr_t
> (/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1). So unless
> you are allowing execmod to all file types (not a good idea),
For the targeted policy I think we need do need to allow it for
file_type. The original security goal of the targeted policy was that
only a few specific services were confined. We expect Fedora server
administrators to understand SELinux and read documentation about how to
secure their services using it. We cannot expect the same of all of the
many other kinds of people using Fedora; in this particular case, it
looks to me like Daniel is a free software enthusiast tracking the
latest upstream releases of OpenOffice.org. Until we can have some
reasonable expectation of ISV software installers labelling data
correctly, I don't think we can use execmod/execmem for unconfined_t at
all.
More information about the selinux
mailing list