On 30/05/07 08:06, Keith Lofstrom wrote:
> Any selinux experts here?
>
> SL5 comes with a suggestion to set selinux to "enforced" mode, so I
> tried it.  Later, I installed openvpn (2.0.9-1.el5.rf from dag) and
> lzo2 (2.02-2.el5.rf ) to work with it.  When I ran openvpn (as root),
> I got an error message (linewraps added by me):
>
>   Starting openvpn: /usr/sbin/openvpn: error while loading shared \
>   libraries: liblzo2.so.2 : cannot enable executable stack as shared \
>   object requires: Permission denied
>
> When I set /etc/selinux/config to "permissive", the error goes away,
> and openvpn works fine, but that is less secure,  I assume.
>
> Is there something simple I can do to so that selinux is happy with
> this library, now and after some potential update in the future?

See
http://www.crypt.gen.nz/selinux/faq.html#CP.19
and
http://danwalsh.livejournal.com/6117.html?thread=23781

In short, see via "execstack -q" whether the aplication or shared libs
want an executable stack, try "execstack -c" to see whether it will work
without, file bug with maintainer.

You can also selectively tune your SELInux policy:
use "getsebool allow_execstack" to check,
"setsebool -P allow_execstack=1" tp (persistently) set it. But this
affects all applications, not just the one that falls over.

Regards
Jan