[DSE-Dev] i386 PIE/allow_execmod in stretch emergency!
Laurent Bigonville
bigon at debian.org
Fri Mar 10 17:29:22 UTC 2017
Le 08/03/17 à 05:14, Russell Coker a écrit :
> There have been some recent binary NMUs for Stretch to support PIE on i386.
> One very important one is gzip. PIE on i386 needs execmod access and given
> the number of domains calling gzip and other programs that means allow_execmod
> is almost mandatory for i386.
>
> We need to have this happen by default. Which package should we modify to do
> a "setsebool -P allow_execmod 1" on i386?
>
Well it's in the policy package where the boolean is defined (see the
gen_tunable() function, the 2nd parameter is the default)
I don' t know if we want to have differences in between the architectures.
Is this limited to as subset of libraries? Then maybe the lib could be
labeled as textrel_shlib_t ?
More information about the SELinux-devel
mailing list