Re: GCL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jerry James wrote:
> Once upon a time on fedora-devel-list, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>> +/usr/bin/gcl                  --       gen_context(system_u:object_r:execmem_exec_t,s0)
>>
>>
>> Will be in selinux-policy-3.5.13-19.fc10
> 
> I've done some experimenting, and I think I need a couple of
> modifications to this.  First, it turns out that GCL needs both
> execmem and execheap permissions.  Do I need to create a gcl_exec_t
> type to combine those?
> 
> Second, /usr/bin/gcl is just a shell script.  It does an exec of
> /usr/lib/gcl-%{version}/unixport/saved_ansi_gcl, which is the saved
> Lisp image, along with appropriate command line options.  I don't
> expect permissions to persist across an exec (but tell me if I'm
> wrong), so I think I need the policy to mention the saved image
> instead of /usr/bin/gcl.  There are some problems associated with
> this:
> 
Ok, is the GCL package available in Fedora?  This probably should be
opened as a bugzilla.  If gcl really needs execheap, we need to create a
new policy for it, since execmem_exec_t apps currently do not get this
and I really don't want to give them this.  I guess I would like to hear
Ulrich Drepper chime in on this need.

> 1) The /usr/lib prefix is used on both 32-bit and 64-bit platforms,
> which is bad.  I'll see if I can get that fixed, but it appears to
> require some code changes (i.e., not just makefile changes).
> 
> 2) The GCL build process can produce multiple image files, with
> various combinations of options (such as profiling, ANSI vs. CLtL1
> support, a GUI, etc.).  Fedora has only ever shipped one image, but I
> can see an argument for producing a profiling version of the standard
> image and making /usr/bin/gcl choose between them based on command
> line arguments.  In any case, all of the image names start with
> "saved_".
> 
> The upshot of all this is that, to make the policy future-proof, I
> really need the execmem + execheap permissions for all files that
> match this pattern:
> 
> /usr/lib*/gcl-*/unixport/saved_*
> 
> Is that okay?  If so, how do I proceed?  Thanks for helping out an
> SELinux newbie.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkqxOEACgkQrlYvE4MpobNPpwCeN96Zuin+Y8uNkq/Ge4baPSaq
hf8An2mUwKqFGTC98SHpiyqWeUNWOk30
=kRad
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux