[DSE-Dev] i386 PIE/allow_execmod in stretch emergency!

Laurent Bigonville bigon at debian.org
Fri Mar 10 17:29:22 UTC 2017

Le 08/03/17 à 05:14, Russell Coker a écrit :
> There have been some recent binary NMUs for Stretch to support PIE on i386.
> One very important one is gzip.  PIE on i386 needs execmod access and given
> the number of domains calling gzip and other programs that means allow_execmod
> is almost mandatory for i386.
> We need to have this happen by default.  Which package should we modify to do
> a "setsebool -P allow_execmod 1" on i386?
Well it's in the policy package where the boolean is defined (see the 
gen_tunable() function, the 2nd parameter is the default)

I don' t know if we want to have differences in between the architectures.

Is this limited to as subset of libraries? Then maybe the lib could be 
labeled as textrel_shlib_t ?

More information about the SELinux-devel mailing list