Do you use SELinux
Andras Simon
szajmi at gmail.com
Thu Jun 7 21:17:37 UTC 2007
On 6/7/07, a bc <visual00 at gmail.com> wrote:
> how many of you activate selinux in fedora here? i know it will be more
> security for the computer.
I do, because I'm paranoid, and it's not _that_ intrusive. It's even
got much more friendly in FC7. Example:
Jun 6 01:50:12 localhost kernel: alisp[18003]: segfault at 0000000000000000 rip
000000356866d631 rsp 00007fffe4e2f750 error 6
Jun 6 01:50:14 localhost setroubleshoot: SELinux is preventing /usr/local/
acl81b.64/alisp from loading /usr/local/acl81b.64/libacli81b21.so which requires
text relocation. For complete SELinux messages. run sealert -l 170863e2-f4
1d-4d78-b57d-7d4a9a1872fa
I do as I'm told, and get and explanation and instructions to let me carry on:
Summary
SELinux is preventing /usr/local/acl81b.64/alisp from loading
/usr/local/acl81b.64/libacli81b21.so which requires text relocation.
Detailed Description
The /usr/local/acl81b.64/alisp application attempted to load
/usr/local/acl81b.64/libacli81b21.so which requires text relocation. This
is a potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission. The
http://people.redhat.com/drepper/selinux-mem.html web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/local/acl81b.64/libacli81b21.so to use relocation as a workaround,
until the library is fixed. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access
If you trust /usr/local/acl81b.64/libacli81b21.so to run correctly, you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
/usr/local/acl81b.64/libacli81b21.so"
The following command will allow this access:
chcon -t textrel_shlib_t /usr/local/acl81b.64/libacli81b21.so
etc.
> is it useful on a desktop computer? why does fedora 7 activate it as
> default?
I'm much more worried about Fedora activating rpc, nfs, sendmail &al by default.
Andras
More information about the users
mailing list