Menu
▾
▴
Re: libffcall and selinux
|
From: Bruno H. <br...@cl...> - 2017-06-03 13:28:19
|
Hi Don, > Just looking at > getsebool -a | grep selinuxuser > I see > selinuxuser_execheap --> off > which is what causes the AVC denial in configuring ffcall. > (I verified that by turning it on and redoing config.) > > This is described as follows at > https://mgrepl.fedorapeople.org/man_selinux/Fedora18/user.html > > If you want to allow unconfined executables to make their heap memory > executable. Doing this is a really bad idea. Probably indicates a > badly coded executable, but could indicate an attack. This executable > should be reported in bugzilla, you must turn on the > selinuxuser_execheap boolean. > setsebool -P selinuxuser_execheap 1 > > However, getsebool also shows > selinuxuser_execstack --> on > > If you want to allow unconfined executables to make their stack > executable. This should never, ever be necessary. Probably indicates > a badly coded executable, but could indicate an attack. This > executable should be reported in bugzilla, you must turn on the > selinuxuser_execstack boolean. > setsebool -P selinuxuser_execstack 1 Thanks for these pointers. I installed a RHEL 6 VM, then looked at how these flags influence the libffcall configure tests, and modified libffcall to bypass these configure tests in case of SELinux. Since the results are dependent on flags that can change at runtime, the code better assumes the worst possible result. Bruno |
