[DSE-Dev] i386 PIE/allow_execmod in stretch emergency!
russell at coker.com.au
Wed Mar 8 04:20:07 UTC 2017
On Wed, 8 Mar 2017 03:14:51 PM Russell Coker wrote:
> There have been some recent binary NMUs for Stretch to support PIE on i386.
> One very important one is gzip. PIE on i386 needs execmod access and given
> the number of domains calling gzip and other programs that means
> allow_execmod is almost mandatory for i386.
> We need to have this happen by default. Which package should we modify to
> do a "setsebool -P allow_execmod 1" on i386?
Also that has to be i386 userspace NOT i386 kernel. I have some VMs running
i386 userspace with AMD64 kernel and I'm sure I'm not the only one.
For systems that use multi-arch I think it's reasonable to leave execmod off.
If you have AMD64 and i386 packages installed you will probably have the AMD64
version of gzip, most such systems will have only a small number of i386
packages installed and should be fine.
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the SELinux-devel