GIMP help shouldn't need execstack, should it?
Gregory Maxwell
gmaxwell at gmail.com
Fri Jan 7 15:59:41 UTC 2011
On Fri, Jan 7, 2011 at 10:25 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> We have had a slew of bugzillas on this lately. I think some libraries
> in rpmfusion or one of the other Not Fully Open, yum repositories have
> some libraries that are marked as requiring execstack.
>
> We have been closing these with a link to this bugzilla.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=652297#c5
>
> I have hard coded my comment in it on how to look for the libraries.
Perhaps RPM/Yum should be modified to refuse to install libraries set
to execstack this without some kind of override, or at least a nasty
warning. "Warning: Package FOO compromises system security. See here
for more information:"
This is a usability problem and it needs to be resolved but it is not
going to be resolved by closing dozens of bugs and telling people to
"setsebool -P allow_execstack 1", nor is resolving the usability
problem by disabling the non-executable stack in the default install
acceptable.
This is especially bad in that some of the triggering libraries are
media codecs which get exposed to potentially hostile files from third
parties.
More information about the selinux
mailing list