I used this description to move my openSUSE Tumbleweed system
Operating System: openSUSE Tumbleweed 20260126
KDE Plasma Version: 6.5.5
KDE Frameworks Version: 6.22.0
Qt Version: 6.10.1
Kernel Version: 6.18.7-1-default (64-bit)
Graphics Platform: X11
Graphics Processor: Intel® Iris® Xe Graphics
from apparmor to selinux. All went fine …
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 35
I have google-earth installed from here
# zypper se -si google-earth
Loading repository data...
Reading installed packages...
S | Name | Type | Version | Arch | Repository
---+-------------------------+---------+---------------+--------+-----------------------
i+ | google-earth-pro-stable | package | 7.3.6.10441-0 | x86_64 | Google Earth for Linux
#
which worked fine with apparmor. Starting it now will result in
> ./google-earth-pro
/opt/google/earth/pro/googleearth-bin: error while loading shared libraries: libcrypto.so.1.0.0: cannot enable executable stack as shared object requires: Permission denied
>
So I ran
# ausearch -m avc -ts today | audit2allow
#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'selinuxuser_execstack'
allow unconfined_t self:process execstack;
#
When I do
setsebool -P selinuxuser_execstack=1
google-earth will start successfully.
However
# semanage boolean -l | grep selinuxuser_execstack
selinuxuser_execstack (aus , aus) Allow unconfined executables to make their stack executable. This should never, ever be necessary.
Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
gives me the impression that it might not be a good idea to set selinuxuser_execstack=1.
How should I handle this?
Any advice welcome.