Difference between revisions of "Running Oolite-Fedora Core 5"

From Elite Wiki
 
m
Line 1: Line 1:
== Oolite on Fedora Core 5 ==
 
 
 
Fedora Core 5 has greatly increased the security level of a desktop Linux build. It includes SElinux, a mandatory access control security system that is unmatched outside of the mainframe world. However, due to the way GNUstep works, this spells trouble for Oolite. GNUstep uses something called 'trampolining' when running, which puts executable code (deliberately) on the heap. The default SElinux policy on Fedora Core 5 forbids an executable heap (for the very good reason that it neuters all buffer overflow attacks against software, since an executable heap allows a malicious person to inject code into buggy programs. No executable heap - and the exploit will not run, because SElinux will abort the process).
 
Fedora Core 5 has greatly increased the security level of a desktop Linux build. It includes SElinux, a mandatory access control security system that is unmatched outside of the mainframe world. However, due to the way GNUstep works, this spells trouble for Oolite. GNUstep uses something called 'trampolining' when running, which puts executable code (deliberately) on the heap. The default SElinux policy on Fedora Core 5 forbids an executable heap (for the very good reason that it neuters all buffer overflow attacks against software, since an executable heap allows a malicious person to inject code into buggy programs. No executable heap - and the exploit will not run, because SElinux will abort the process).
  
Line 16: Line 14:
  
 
You can also turn SElinux from 'Enforcing' to 'Permissive', but it this is not recommended since SElinux does a great deal to help keep your system secure.
 
You can also turn SElinux from 'Enforcing' to 'Permissive', but it this is not recommended since SElinux does a great deal to help keep your system secure.
 +
 +
This may apply to other distributions that have SElinux enabled by default.

Revision as of 18:11, 21 March 2006

Fedora Core 5 has greatly increased the security level of a desktop Linux build. It includes SElinux, a mandatory access control security system that is unmatched outside of the mainframe world. However, due to the way GNUstep works, this spells trouble for Oolite. GNUstep uses something called 'trampolining' when running, which puts executable code (deliberately) on the heap. The default SElinux policy on Fedora Core 5 forbids an executable heap (for the very good reason that it neuters all buffer overflow attacks against software, since an executable heap allows a malicious person to inject code into buggy programs. No executable heap - and the exploit will not run, because SElinux will abort the process).

To run Oolite, at present you must allow an executable heap. This is not an ideal state of affairs, but will have to suffice until GNUstep is fixed or an SElinux policy is created for Oolite to allow this to only apply to the Oolite executable. This is what you need to do to make the Autopackage or tarball installers work on Fedora Core 5.

1. Go to System -> Administration -> Security Level and Firewall
2. Enter your root password
3. Select the SElinux tab
4. Select 'Modify SElinux policy'
5. Scroll down to 'Other' and select it.
6. Tick the checkbox 'allow_execheap'
7. Click OK

Oolite should now be able to run.

You can also turn SElinux from 'Enforcing' to 'Permissive', but it this is not recommended since SElinux does a great deal to help keep your system secure.

This may apply to other distributions that have SElinux enabled by default.