nota bene: I had to turn off selinux' monitoring httpd to get user directories (ie, www.this.edu/~mike)... On 5/30/07, Jan Iven <[log in to unmask]> wrote: > > On 30/05/07 08:06, Keith Lofstrom wrote: > > Any selinux experts here? > > > > SL5 comes with a suggestion to set selinux to "enforced" mode, so I > > tried it. Later, I installed openvpn (2.0.9-1.el5.rf from dag) and > > lzo2 (2.02-2.el5.rf) to work with it. When I ran openvpn (as root), > > I got an error message (linewraps added by me): > > > > Starting openvpn: /usr/sbin/openvpn: error while loading shared \ > > libraries: liblzo2.so.2: cannot enable executable stack as shared \ > > object requires: Permission denied > > > > When I set /etc/selinux/config to "permissive", the error goes away, > > and openvpn works fine, but that is less secure, I assume. > > > > Is there something simple I can do to so that selinux is happy with > > this library, now and after some potential update in the future? > > See > http://www.crypt.gen.nz/selinux/faq.html#CP.19 > and > http://danwalsh.livejournal.com/6117.html?thread=23781 > > In short, see via "execstack -q" whether the aplication or shared libs > want an executable stack, try "execstack -c" to see whether it will work > without, file bug with maintainer. > > You can also selectively tune your SELInux policy: > use "getsebool allow_execstack" to check, > "setsebool -P allow_execstack=1" tp (persistently) set it. But this > affects all applications, not just the one that falls over. > > Regards > Jan >