I am *this* close to disabling selinux!

[David Kramer]

Matthew Gillen wrote:
>> Did it change the default policy, or just the running policy?
> 
> Neither.  It set a property on the file itself (stored by the filesystem).
> The texrel_shlib_t is basically a group that needs to do something that most
> programs shouldn't need to do.  Video codecs are notorious for this
> technique though (which is probably one of the reasons they have so many
> security problems).

Yeah, I finally understood that after I sent that email through more
Googling, and studying sealert's output more closely.

>> So yes, there's this pretty good tool if you stumble upon it, but how
>> can you have a tool that's so invasive without accessible documentation?
> 
> That issue is sort of endemic to linux in general ;-)

Agreed, of course, but most of the software that effects the whole
system like that are better documented, with the clear exception of X
configuration, which will always be black magic.

> Part of the answer is that it's still being developed.  You might look this
> site for more info on the setroubleshoot tool:
> https://hosted.fedoraproject.org/projects/setroubleshoot

While that page is now only moderately useful, it's a good start, and
it's a place to capture more information.  After I read more of what's
there now, I'll see if I can contribute anything.

Thanks.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.