I’ve previously plugged [Security and Usability by O'Reilly](http://www.oreilly.com/catalog/securityusability/), a great book that anybody working in the security field should read.
Unfortunately it seems that the Fedora Core developers have not. Their latest release ships with execmod transitions denied by the default SELinux policy (we’ll probably have to work around this in autopackage). This configuration is questionable for three reasons:
* The error message printed might as well be a random number. The only people who will understand _cannot restore segment prot after reloc: permission denied_ are SELinux or glibc developers. It’s useless to anybody who isn’t fluent in ELF.
* The people who see it are the people least likely to know what it means
* The computer knows what’s wrong, and knows how to fix it, but won’t. Pretty much every usability textbook ever written advises against this.
The result is identical to last time – [masses of end users posting for help on the internet](http://www.google.co.uk/search?q=%22fedora+core+5%22+%22segment+prot%22). The predictable results are:
* People are told to switch SELinux off
* The upstream developers usually don’t understand what the issue is, how to fix it, or why they should care
* People don’t feel in control of their computer, and so the feeling of technology being dark and scary is propagated
For those who are wondering, this message is generated by the dynamic linker when it needs to apply _text relocations_ to the loaded process image. To do this it needs to make an area of code read/write/noexec and then shortly afterwards change it back to read/exec – this transition is denied by the kernel and startup fails. Text relocations are generated naturally by the toolchain in response to certain code constructs, usually without the developers even knowing what they are. [Mike Frysingers guide](http://www.gentoo.org/proj/en/hardened/pic-fix-guide.xml) explains how to remove them. Alternatively, in the install scripts mark the libraries that contain text relocs with the appropriate security context which will allow the transition for that file only.
The Fedora developers enabled this setting before but quickly disabled it again after it turned out that lots of software in the distribution was broken by it. Since then they’ve modified the software they ship and so enabled it again, screwing over anybody not a part of the “in club” in the process. It’s a shame but not surprising that the great work the desktop developers have done can be so easily unravelled by other parts of the project. It’s come to this thanks to the “if you’re not in the distro you don’t exist” mentality that pervades distro development, along with the SELinux developers unsettling habit of reclassifying anything they disagree with as broken or buggy.
A better solution would have been to invert the logic: mark libraries with no text relocs as not needing them, and so execmod transitions can be denied only for programs where it’s known to be safe. The error message should have been changed to output an English explanation of what’s wrong along with a URL where developers can find out more (though hopefully the first change would mean nobody ever saw the error).
The O’Reilly book (a collection of short essays on usable security) [can be read online for free](http://safari.oreilly.com/JVXSL.asp?x=1&mode=section&sortKey=rank&sortOrder=desc&view=section&xmlid=0596008279&k=20&g=&srchText=security+and+usability&code=&h=0&m=&l=1&j=list&catid=&s=1&b=1&f=1&t=1&c=1&u=1&r=&o=1&n=1&d=1&p=1&a=0&page=0).
