Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
execmem and targeted policy: msg#00073
|
Subject: |
execmem and targeted policy |
Hi,
I noticed that as of a recent rawhide update that Eclipse stopped
working:
audit(1108057938.336:0): avc: denied { execmem } for pid=14065 comm=eclipse
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t
tclass=process
Chatting with Dan, this is apparently because the execmem permission was
dropped from unconfined_domain recently.
We can't do this in targeted policy because it would require us to know
about (and specially label) all such programs. We could potentially
label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have
Eclipse packages in Fedora. However, I am almost positive the Sun JVM
requires this permission too, and if we go this route, then every person
who untars the Sun JVM and tries to run Java programs will run into this
problem.
This is against the philosophy of the targeted policy in that it affects
programs outside of the targeted daemon set. My worry is that for every
person (like me) who tracks down this problem and finds a workaround,
there will be 999 others who disable SELinux entirely. And that's bad,
because we need it to be enabled by default so we can use it to confine
the programs that really need it.
(Dan says that textrel_shlib_t has a similar issue)
One approach might be to have e.g. bin_t and bin_nonexecmem_t. We label
programs that we know work as bin_nonexecmem_t.
|
| |
