Re: libffcall and selinux

[Bruno H. <br...@cl...>]

Hi Don,

> Now gunzip,tar, read instructions and do mkdir, cd, ../configure
> 
> At this point I see a new AVC in audit.log:
> 
> type=AVC msg=audit(1495493082.183:494): avc:  denied  { execheap } for  pid=3540 comm="conftest" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
> 
> The end of the configure shows:
>   checking for working shared memory... (cached) yes
>   checking for sys/sysmacros.h... (cached) yes
>   checking whether code in malloc()ed memory is executable... (cached) no
>   checking whether mprotect can make malloc()ed memory executable... (cached) no
>   checking whether mprotect can make mmap()ed memory executable... (cached) yes
>   configure: creating ./config.status
>   config.status: creating Makefile
>   config.status: creating config.h
>   config.status: creating trampoline_r.h
>   config.status: executing libtool commands
>   [root@localhost builddir]# 
> 
> This is probably what you expect.
> I now try make - no new AVC.
> then make check - still no new AVC -- which surprises me. 

Good. This means that the workaround for Linux+PaX or SELinux kernels and for
HardenedBSD, that I added to libffcall on 2017-01-29, is working fine.

1 log message during configuration is acceptable, I think.

> (maybe you should update unix/INSTALL ?)

Done.

> Not sure why, but this seems to be my traditional configure:
> ./configure CC='gcc -m64' --with-libsigsegv-prefix=/usr/local
>   --disable-maintainer-mode --with-debug --with-module=rawsock build-dir

Ouch. Don't install libraries in /usr/local *EVER*. You'll invariably
get trapped by a decades-old GCC bug if you do so. /usr/local is ONLY good
for executables. Any other --prefix value is OK; only /usr/local is so bad.

Bruno