Jorge Fábregas <jorge.fabregas@xxxxxxxxx> wrote: > Ok, there has been a lot of these lately (execstack). I had those with > AviDemux and solved it by removing execstack from the particular library > causing it. I had "execstack" messages with a self-compiled Exim and OpenSSH. Couldn't find any libraries with the execstack flag set (it's been years ago that I had to set execstack... on MPlayer if I remember correctly). Since I couldn't easily find out what's causing this SELinux error (which includes launching setroubleshootd and eating a significant amount of system resources) I helped myself with some googled calls to "chcon" on the binares. Creating a custom policy helped as well (as suggested by sealert), but installing a custom policy with "semodule -i" takes a lot of time, and to be honest, I don't fully understand every policy generated by "audit2allow" (some are small and easy to understand but some could get quite large). I don't like to trust security that I don't understand. Although I wouldn't say that the number of SELinux errors is high, I still found myself running my systems in "permissive mode" most of the time. Because SELinux in permissive mode gives no security, I finally disabled it completely. Some applications are a lot faster now, for example SSH which no longer has to check/switch SELinux context. SELinux gives extremly fine-grained control. Nice thing if there's somebody who keeps the SELinux policies up to date for you like the Fedora team does for their repositories. There's an update every couple of days so they obviously put a lot of work into it. But SELinux is like hell on earth if you install something that is not covered by the standard policy. If you're not an SELinux expert yourself and don't want to spend most of your time searching the web to fix SELinux issues, you may end up defining aliases for "setenforce 0" and "setenforce 1" because you need it so often. That's not good. ;-) I always try to make my systems secure in the first place (as if there was no SELinux at all). Hopefully, people don't get too used to SELinux and design their software without security in mind because they fully rely on SELinux to keep bad things from happening. This is not a rant against SELinux. I'm sure it's very cool if you really understand how everything works and if you can write your own policies without the help of Google. I tried - but failed. Maybe it's helps to make SELinux more manageable for non-experts. setroubleshootd/sealert is so slow, it's not very useful. Some of its messages are good to understand but most are not (basically just saying you have to run audit2allow/semodule and install exceptions for everything). I wish I was better in managing SELinux. Well, maybe one day ... Greetings, Andreas -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
