Subject: | |
From: | |
Reply To: | |
Date: | Wed, 30 May 2007 10:39:13 +0200 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 30/05/07 08:06, Keith Lofstrom wrote:
> Any selinux experts here?
>
> SL5 comes with a suggestion to set selinux to "enforced" mode, so I
> tried it. Later, I installed openvpn (2.0.9-1.el5.rf from dag) and
> lzo2 (2.02-2.el5.rf) to work with it. When I ran openvpn (as root),
> I got an error message (linewraps added by me):
>
> Starting openvpn: /usr/sbin/openvpn: error while loading shared \
> libraries: liblzo2.so.2: cannot enable executable stack as shared \
> object requires: Permission denied
>
> When I set /etc/selinux/config to "permissive", the error goes away,
> and openvpn works fine, but that is less secure, I assume.
>
> Is there something simple I can do to so that selinux is happy with
> this library, now and after some potential update in the future?
See
http://www.crypt.gen.nz/selinux/faq.html#CP.19
and
http://danwalsh.livejournal.com/6117.html?thread=23781
In short, see via "execstack -q" whether the aplication or shared libs
want an executable stack, try "execstack -c" to see whether it will work
without, file bug with maintainer.
You can also selectively tune your SELInux policy:
use "getsebool allow_execstack" to check,
"setsebool -P allow_execstack=1" tp (persistently) set it. But this
affects all applications, not just the one that falls over.
Regards
Jan
|
|
|