Gus Wirth wrote:
But doesn't this mean the hardening and/or SELinux are working properly? In other words, the idea is to randomize loading locations in memory in order to prevent buffer overflow attacks in a known location. If you have to turn it off, that means your app can't be used in a hardened environment and you jeopardize the rest of the machine.
The issue is one of compiling and assembly optimizations. *Any* code not compiled with -fPIC will bomb out on SELinux. Position independent code pretty much guarantees performance loss on older x86 architectures.
Personally, I don't care. My x86 systems are new enough to avoid that or I use systems that have had usable position independent code instructions long ago (PowerPC).
I just care that SELinux gets in the way. SELinux is fine for a deployed server. Anything else and it gets old, fast.
I think the guys at Adobe/Macromedia should be praised for making sure this works in a hardened environment. Despite the fact that Flash itself is evil :)
I wouldn't praise them too much. They probably were forced into it with virtualization on Vista and are using Linux as the guinea pig.
-a -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
