[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Please disable the SELinux execstack/relro checks before FC5 final



fre, 17 02 2006 kl. 11:42 +0100, skrev Arjan van de Ven:
> Hi,
> 
> I'm hereby asking to disable/remove the SELinux execstack/relro checks
> before FC5 ships. The current state of affairs will only lead to people
> using big-hammer approaches in disabling selinux or big chunks thereof
> (based on "solutions" they find with google), which is worse than not
> having this protection in the first place.
> 
> The technology is not finished yet. What I can imagine being useful is:
> 1) having the security config tool do a scan for libs/binaries that are
> not labeled correctly yet and present a dialog to add permissions,
> including an explanation of what the consequences are
> 2) a dbus message on failure so that the desktop can pop up a "<this
> application> tried to use <this insecure library> which is most likely a
> security risk. In case you downloaded this plugin deliberately, make
> sure you want this" or something
> 
> As it is right now, it's just one more thing people will just disable
> and hate selinux more for.  


I tend to agree, it's a great feature but we need better handling of it
- I assume the plan is to enable it early in the FC6 cycle again then?

- David
-- 
Obligatory shameless blog plug - the GNOME commentary located at:
www.lovesunix.net/blog


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]