On 30/05/07 08:06, Keith Lofstrom wrote: > Any selinux experts here? > > SL5 comes with a suggestion to set selinux to "enforced" mode, so I > tried it. Later, I installed openvpn (2.0.9-1.el5.rf from dag) and > lzo2 (2.02-2.el5.rf) to work with it. When I ran openvpn (as root), > I got an error message (linewraps added by me): > > Starting openvpn: /usr/sbin/openvpn: error while loading shared \ > libraries: liblzo2.so.2: cannot enable executable stack as shared \ > object requires: Permission denied > > When I set /etc/selinux/config to "permissive", the error goes away, > and openvpn works fine, but that is less secure, I assume. > > Is there something simple I can do to so that selinux is happy with > this library, now and after some potential update in the future? See http://www.crypt.gen.nz/selinux/faq.html#CP.19 and http://danwalsh.livejournal.com/6117.html?thread=23781 In short, see via "execstack -q" whether the aplication or shared libs want an executable stack, try "execstack -c" to see whether it will work without, file bug with maintainer. You can also selectively tune your SELInux policy: use "getsebool allow_execstack" to check, "setsebool -P allow_execstack=1" tp (persistently) set it. But this affects all applications, not just the one that falls over. Regards Jan