execmem and targeted policy

dragoran dragoran at feuerpokemon.de
Fri Feb 11 11:20:51 UTC 2005

Colin Walters wrote:

>I noticed that as of a recent rawhide update that Eclipse stopped
>audit(1108057938.336:0): avc:  denied  { execmem } for  pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process
>Chatting with Dan, this is apparently because the execmem permission was
>dropped from unconfined_domain recently.  
>We can't do this in targeted policy because it would require us to know
>about (and specially label) all such programs.  We could potentially
>label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have
>Eclipse packages in Fedora.  However, I am almost positive the Sun JVM
>requires this permission too, and if we go this route, then every person
>who untars the Sun JVM and tries to run Java programs will run into this
>This is against the philosophy of the targeted policy in that it affects
>programs outside of the targeted daemon set.  My worry is that for every
>person (like me) who tracks down this problem and finds a workaround,
>there will be 999 others who disable SELinux entirely.  And that's bad,
>because we need it to be enabled by default so we can use it to confine
>the programs that really need it.
>(Dan says that textrel_shlib_t has a similar issue)
>One approach might be to have e.g. bin_t and bin_nonexecmem_t.  We label
>programs that we know work as bin_nonexecmem_t.
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
mysqld has the same issues even in fc3 when running 2.6.11-rc3

More information about the fedora-selinux-list mailing list