Re: libffcall and selinux

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Bruno Haible writes:

 > Yes, nearly everyone on Linux/x86_64 is seeing this (or a similar)
 > crash.

When did this start?

 > > make -k check also shows
 > >  > form: (nth-prime 150)
 > > 
 > > *** - Program stack overflow. RESET
 > 
 > Now this means that the default stack size is quite small. What's
 > the result of

 > $ ulimit -a | grep stack
 > ? For me, it's:
 > stack size              (kbytes, -s) 8192

the current limit (8515) seems to be as high as I can set it.
You consider that to be small?  

 > > Let me know if I can do anything else useful with this VM before 
 > > I turn it off.
 > 
 > Yes, it would be useful to enable SELinux checks (at least those
 > that smell like related to "restricted mprotect" or like "write xor
 > execute" or similar, and see how clisp behaves with these checks
 > enabled.

I don't understand selinux very well.
And I'm also not sure I understand what you're looking for, but
here's an attempt.  Let me know if it gives you any better ideas.

It seems like there are all sorts of policies that one COULD write,
one that is installed in a given distribution, and the one that comes
with Fedora-Server-dvd-x86_64-25-1.3 is the one I initially tested.
That policy does seem to me to have some strange features, though.
Just looking at 
 getsebool -a | grep selinuxuser
I see
 selinuxuser_execheap --> off
which is what causes the AVC denial in configuring ffcall.
(I verified that by turning it on and redoing config.)

This is described as follows at
 https://mgrepl.fedorapeople.org/man_selinux/Fedora18/user.html

 If you want to allow unconfined executables to make their heap memory
 executable. Doing this is a really bad idea. Probably indicates a
 badly coded executable, but could indicate an attack. This executable
 should be reported in bugzilla, you must turn on the
 selinuxuser_execheap boolean.
 setsebool -P selinuxuser_execheap 1

However, getsebool also shows
 selinuxuser_execstack --> on

 If you want to allow unconfined executables to make their stack
 executable. This should never, ever be necessary. Probably indicates
 a badly coded executable, but could indicate an attack. This
 executable should be reported in bugzilla, you must turn on the
 selinuxuser_execstack boolean.
 setsebool -P selinuxuser_execstack 1

I don't understand why that one is on by default.
But when I turn it off and do make -k check for clisp I don't see
any AVC denials.

 selinuxuser_execmod --> on

 If you want to allow all unconfined executables to use libraries
 requiring text relocation that are not labeled textrel_shlib_t, you
 must turn on the selinuxuser_execmod boolean.
 setsebool -P selinuxuser_execmod 1 

I don't quite follow all that, but again, turning it off doesn't
cause any AVC dnials in clisp make -k check.

I don't see any booleans with protect (or even prot) in the name.