Dear all, I'm on Fedora release 37 and have two files with execstack flag set: $ readelf -a ./testx | grep -A1 STACK GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RWE 0x10 $ readelf -a ./libtestx.so | grep -A1 STACK GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RWE 0x10 Protection is enabled: # getsebool selinuxuser_execstack selinuxuser_execstack --> off Library is not loadable: $ enable -f ./libtestx.so x -bash: enable: cannot open shared object ./libtestx.so: ./libtestx.so: cannot enable executable stack as shared object requires: Permission denied type=AVC msg=audit(01/23/2024 15:44:26.837:637) : avc: denied { execstack } for pid=1685 comm=bash scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 But the executable runs without restriction: $ ./testx This executable should be rejected as execstack Is it wrong behaviour? I think that the needed LSM hook is not called from all the needed places in the kernel. I wrote a mail about this here: https://www.spinics.net/lists/linux-security-module/msg56376.html Usually kernel people pay attention to problems that really affect users. So if someone could confirm the problem - it would help to fix it. Thank you for the attention. Kind regards, Dmitry Mastykin -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue