nota bene: I had to turn off selinux' monitoring httpd to get user
directories (ie, www.this.edu/~mike)...

On 5/30/07, Jan Iven <[log in to unmask]> wrote:
>
> On 30/05/07 08:06, Keith Lofstrom wrote:
> > Any selinux experts here?
> >
> > SL5 comes with a suggestion to set selinux to "enforced" mode, so I
> > tried it.  Later, I installed openvpn (2.0.9-1.el5.rf from dag) and
> > lzo2 (2.02-2.el5.rf) to work with it.  When I ran openvpn (as root),
> > I got an error message (linewraps added by me):
> >
> >   Starting openvpn: /usr/sbin/openvpn: error while loading shared \
> >   libraries: liblzo2.so.2: cannot enable executable stack as shared \
> >   object requires: Permission denied
> >
> > When I set /etc/selinux/config to "permissive", the error goes away,
> > and openvpn works fine, but that is less secure,  I assume.
> >
> > Is there something simple I can do to so that selinux is happy with
> > this library, now and after some potential update in the future?
>
> See
> http://www.crypt.gen.nz/selinux/faq.html#CP.19
> and
> http://danwalsh.livejournal.com/6117.html?thread=23781
>
> In short, see via "execstack -q" whether the aplication or shared libs
> want an executable stack, try "execstack -c" to see whether it will work
> without, file bug with maintainer.
>
> You can also selectively tune your SELInux policy:
> use "getsebool allow_execstack" to check,
> "setsebool -P allow_execstack=1" tp (persistently) set it. But this
> affects all applications, not just the one that falls over.
>
> Regards
> Jan
>