On 6/7/07, a bc <visual00@xxxxxxxxx> wrote:
how many of you activate selinux in fedora here? i know it will be more security for the computer.
I do, because I'm paranoid, and it's not _that_ intrusive. It's even got much more friendly in FC7. Example: Jun 6 01:50:12 localhost kernel: alisp[18003]: segfault at 0000000000000000 rip 000000356866d631 rsp 00007fffe4e2f750 error 6 Jun 6 01:50:14 localhost setroubleshoot: SELinux is preventing /usr/local/ acl81b.64/alisp from loading /usr/local/acl81b.64/libacli81b21.so which requires text relocation. For complete SELinux messages. run sealert -l 170863e2-f4 1d-4d78-b57d-7d4a9a1872fa I do as I'm told, and get and explanation and instructions to let me carry on: Summary SELinux is preventing /usr/local/acl81b.64/alisp from loading /usr/local/acl81b.64/libacli81b21.so which requires text relocation. Detailed Description The /usr/local/acl81b.64/alisp application attempted to load /usr/local/acl81b.64/libacli81b21.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/local/acl81b.64/libacli81b21.so to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you trust /usr/local/acl81b.64/libacli81b21.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /usr/local/acl81b.64/libacli81b21.so" The following command will allow this access: chcon -t textrel_shlib_t /usr/local/acl81b.64/libacli81b21.so etc.
is it useful on a desktop computer? why does fedora 7 activate it as default?
I'm much more worried about Fedora activating rpc, nfs, sendmail &al by default. Andras
