[DSE-Dev] i386 PIE/allow_execmod in stretch emergency!

Russell Coker russell at coker.com.au
Wed Mar 8 04:20:07 UTC 2017

On Wed, 8 Mar 2017 03:14:51 PM Russell Coker wrote:
> There have been some recent binary NMUs for Stretch to support PIE on i386.
> One very important one is gzip.  PIE on i386 needs execmod access and given
> the number of domains calling gzip and other programs that means
> allow_execmod is almost mandatory for i386.
> We need to have this happen by default.  Which package should we modify to
> do a "setsebool -P allow_execmod 1" on i386?

Also that has to be i386 userspace NOT i386 kernel.  I have some VMs running 
i386 userspace with AMD64 kernel and I'm sure I'm not the only one.

For systems that use multi-arch I think it's reasonable to leave execmod off.  
If you have AMD64 and i386 packages installed you will probably have the AMD64 
version of gzip, most such systems will have only a small number of i386 
packages installed and should be fine.

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the SELinux-devel mailing list