Please disable the SELinux execstack/relro checks before FC5 final

Eric Brunson brunson at brunson.com
Sun Feb 19 17:48:00 UTC 2006


Ulrich Drepper wrote:
> Arjan van de Ven wrote:
>   
>> right now I fear the only sane answer is "set all to permissive
>> behavior"; the minimum for fc5 would be everything that can do plugins
>> of any kind, or uses libraries that tend to get replaced (3D ones ;).
>> But that ends up being a whole whopping lot...
>>     
>
> I'm not so sure.
>
> The most crappy software are all those mozilla/firefox/thunderbird
> plugins.  So, yes, we might need more time for that although I'd rather
> prefer to have a separate domain for those programs.
>
> The NVidia driver also needs an executable stack but nothing else.
>
> What I have not seen are programs which have their own domain and still
> need any of the booleans set.  Somebody should show real evidence that
> any of those domains need the permission checks disable.
>
> If we cannot move the moz/ffox/tbird into their own domain then, yes,
> disable the checks for unconfined processes.  But we should keep the
> tests for all programs which have their own domain.
>
>   
This NVidia driver issue seems to be cropping up a lot on the forums.  
Is there a fix for it other than setting permissive globally?





More information about the fedora-devel-list mailing list