GCL
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 24 15:43:10 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jerry James wrote:
> On Mon, Nov 24, 2008 at 8:14 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> Ok, is the GCL package available in Fedora? This probably should be
>> opened as a bugzilla. If gcl really needs execheap, we need to create a
>> new policy for it, since execmem_exec_t apps currently do not get this
>> and I really don't want to give them this. I guess I would like to hear
>> Ulrich Drepper chime in on this need.
>
> The GCL package has been in Fedora since 2005, but has not built
> successfully for months. I recently took over as maintainer and am
> trying to get it into a buildable state again. I've fixed the other
> problems; this seems to be the final blocker.
>
> If I make the saved images have type execmem_exec_t, then the build
> produces the "early" image successfully. When that image runs and
> tries to load up a bunch of Lisp files to produce the final image,
> SELinux kills it with an AVC denial that mentions execheap. I
> mentioned on fedora-devel-list that making the saved images have type
> java_exec_t produces a successful build. If you can tell me how to
> test with exactly execmem + execheap privileges, then I can make sure
> there is nothing else in the java_exec_t set that GCL needs.
> Otherwise, we may have to go through multiple iterations of "no wait,
> GCL needs one more permission".
>
> Do I need to audit the source code to discover the reason for the
> execheap need? I can guess; it's probably (eval form) that needs it,
> but I don't know that for sure.
>
> Say the word and I'll make a bugzilla entry for this. Thanks for your help.
Yes, please open a bugzilla.
We can make a duplicate policy for GCL to java, with execheap. But we
need to track this via bugzilla.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkqy44ACgkQrlYvE4MpobNJrQCfSR9kDnPc9i8mUy94mOZtJ+th
nTcAniypT1D+gpNMV3x8F8onG1wUKn66
=UnCw
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list