[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Axiom-developer] Re: [Gcl-devel] Re: unexec and fedora core 4
From: |
Camm Maguire |
Subject: |
[Axiom-developer] Re: [Gcl-devel] Re: unexec and fedora core 4 |
Date: |
09 Dec 2005 16:43:44 -0500 |
User-agent: |
Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 |
Greetings!
OK, here is what I believe now to be the case -- the SELinux option
allow_execmem, which is 'active' on the bad box, is causing the
problem. All is well if one takes the drastic action of
sudo /bin/sh -c "/usr/sbin/setenforce 0"
but will probably allso work if one changes
/etc/selinux/strict/src/policy/domains/user.te:bool allow_execmem false;
to
/etc/selinux/strict/src/policy/domains/user.te:bool allow_execmem true;
and
sudo /bin/sh -c "cd /etc/selinux/strict/src/policy && make load"
though I have not confirmed this not wanting to hose the machine in
question.
The security people appear to persist in their (IMHO quite erroneous)
assumption that there is no legitimate need for an executable heap.
Tim Daly likely has further thoughts on this, but I saw the comment
again here:
http://copilotconsulting.com/mail-archives/selinux.2005/msg02006.html
Take care,
Camm Maguire <address@hidden> writes:
> Juho Snellman <address@hidden> writes:
>
> > <address@hidden> wrote:
> > > Greetings! I am a developer of GCL, which shares unexec with emacs.
> > > I have noticed on certain recent Fedora Core 4 machines, binaries
> > > produced with unexec cannot mprotect memory (allocated with brk)
> > > PROT_EXEC (returning EACCESS, i.e. permission denied), whereas
> > > binaries output by ld can do so just fine. This does not vary with
> > > exec-shield or randomize_va_space settings, and appears quite machine
> > > specific. The same binary which functions perfectly normally on one
> > > fc4 machine shows this failure only on another machine. I have as yet
> > > been unable to correlate this with dynamic library placement, or other
> > > settings in /proc/sys.
> >
> > Just a guess, but this might be related to SELinux. Do the machines
> > have differences in /etc/selinux/config?
> >
>
> Bingo! (I think) The config files are identical, but the problem
> machine has a 'strict' subdirectory with a host of files and options.
> Any idea of what I should look for herein, and what this could have to
> do with unexec vs ld?
>
> Thank you so much!
>
> > --
> > Juho Snellman
> >
> >
> >
> > _______________________________________________
> > Gcl-devel mailing list
> > address@hidden
> > http://lists.gnu.org/mailman/listinfo/gcl-devel
> >
> >
> >
>
> --
> Camm Maguire address@hidden
> ==========================================================================
> "The earth is but one country, and mankind its citizens." -- Baha'u'llah
>
>
> _______________________________________________
> Gcl-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/gcl-devel
>
>
>
--
Camm Maguire address@hidden
==========================================================================
"The earth is but one country, and mankind its citizens." -- Baha'u'llah
- [Axiom-developer] Re: [Gcl-devel] Re: unexec and fedora core 4,
Camm Maguire <=