Making Fedora a contributer friendly environment (Re: Selinux and package guidelines)
Karl MacMillan
kmacmill at redhat.com
Wed May 9 14:18:46 UTC 2007
On Wed, 2007-05-09 at 15:55 +0200, Till Maas wrote:
> On Mi Mai 9 2007, Jakub Jelinek wrote:
>
> > DT_TEXTREL shared libraries are (almost always) a packaging bug which
> > should be fixed, not worked around by setting SELinux contexts.
> > In most cases that just means compiling all the objects that are linked
> > into the shared library with -fpic resp. -fPIC (for very large shared
> > libraries).
>
> In my case it is virtualbox, a x86 emulator. It uses code like it is described
> in http://people.redhat.com/~drepper/selinux-mem.html so I guess it is not
> (only) the -fpic stuff.
It's not and for applications like this you aren't likely to avoid
executing writable memory. You should set the context correctly to allow
executable memory (chcon -t unconfined_execmem_exec_t). Eventually we
should avoid hard-coding contexts in the rpms but there is currently no
better solution.
> Btw. what are very larged shared libraries? And
> should "-fpic" only be used when one encounters selinux problems?
>
Preventing relocations is not just an "selinux problem" - it is a good
idea in general and prevents certain kinds of exploits.
Karl
More information about the fedora-devel-list
mailing list