[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Please disable the SELinux execstack/relro checks before FC5 final



Hi,

I'm hereby asking to disable/remove the SELinux execstack/relro checks
before FC5 ships. The current state of affairs will only lead to people
using big-hammer approaches in disabling selinux or big chunks thereof
(based on "solutions" they find with google), which is worse than not
having this protection in the first place.

The technology is not finished yet. What I can imagine being useful is:
1) having the security config tool do a scan for libs/binaries that are
not labeled correctly yet and present a dialog to add permissions,
including an explanation of what the consequences are
2) a dbus message on failure so that the desktop can pop up a "<this
application> tried to use <this insecure library> which is most likely a
security risk. In case you downloaded this plugin deliberately, make
sure you want this" or something

As it is right now, it's just one more thing people will just disable
and hate selinux more for.  


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]