Re: libffcall and selinux

[<don...@is...>]

 > > However, getsebool also shows
 > >  selinuxuser_execstack --> on
 > > 
 > >  If you want to allow unconfined executables to make their stack
 > >  executable. This should never, ever be necessary. Probably indicates
 > >  a badly coded executable, but could indicate an attack. This
 > >  executable should be reported in bugzilla, you must turn on the
 > >  selinuxuser_execstack boolean.
 > >  setsebool -P selinuxuser_execstack 1
 > 
 > This looks like the one that may be related to libffcall.

No, libffcall was triggering execheap.  It still does in the
conftest, but that qualifies as intended behavior.

I've not yet seen any execstack complaints.

 > If you can go on with experiments, the better.
 > If not, I will pursue this avenue further.

I should probably read more about selinux anyway.

 > >  If you want to allow all unconfined executables to use libraries
 > >  requiring text relocation that are not labeled textrel_shlib_t, you
 > >  must turn on the selinuxuser_execmod boolean.
 > >  setsebool -P selinuxuser_execmod 1 
 > 
 > clisp doesn't use this feature (it's x86 specific, and the Solaris linker
 > has produced errors for this situation already for years, IIRC).

I've not seen any complaints about this one either.

So as far as I know so far, current clisp has no issues with selinux
on latest fedora.
(Plenty of other things do, though.)