Please disable the SELinux execstack/relro checks before FC5 final
Arjan van de Ven
arjan at fenrus.demon.nl
Fri Feb 17 10:42:41 UTC 2006
Hi,
I'm hereby asking to disable/remove the SELinux execstack/relro checks
before FC5 ships. The current state of affairs will only lead to people
using big-hammer approaches in disabling selinux or big chunks thereof
(based on "solutions" they find with google), which is worse than not
having this protection in the first place.
The technology is not finished yet. What I can imagine being useful is:
1) having the security config tool do a scan for libs/binaries that are
not labeled correctly yet and present a dialog to add permissions,
including an explanation of what the consequences are
2) a dbus message on failure so that the desktop can pop up a "<this
application> tried to use <this insecure library> which is most likely a
security risk. In case you downloaded this plugin deliberately, make
sure you want this" or something
As it is right now, it's just one more thing people will just disable
and hate selinux more for.
More information about the fedora-devel-list
mailing list