Menu
▾
▴
Re: libffcall and selinux
|
From: Bruno H. <br...@cl...> - 2017-05-30 18:38:17
|
Hi Don, > > Yes, it would be useful to enable SELinux checks (at least those > > that smell like related to "restricted mprotect" or like "write xor > > execute" or similar, and see how clisp behaves with these checks > > enabled. > ... > However, getsebool also shows > selinuxuser_execstack --> on > > If you want to allow unconfined executables to make their stack > executable. This should never, ever be necessary. Probably indicates > a badly coded executable, but could indicate an attack. This > executable should be reported in bugzilla, you must turn on the > selinuxuser_execstack boolean. > setsebool -P selinuxuser_execstack 1 This looks like the one that may be related to libffcall. If you can go on with experiments, the better. If not, I will pursue this avenue further. > selinuxuser_execmod --> on > > If you want to allow all unconfined executables to use libraries > requiring text relocation that are not labeled textrel_shlib_t, you > must turn on the selinuxuser_execmod boolean. > setsebool -P selinuxuser_execmod 1 clisp doesn't use this feature (it's x86 specific, and the Solaris linker has produced errors for this situation already for years, IIRC). Bruno |
