On Tue, 2008-06-10 at 10:23 -0700, Clarkson, Mike R (US SSA) wrote: > > > -----Original Message----- > > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > > Sent: Tuesday, June 10, 2008 10:15 AM > > To: Clarkson, Mike R (US SSA) > > Cc: selinux@xxxxxxxxxxxxx > > Subject: Re: tracking down execstack & execmem violations > > > > > > On Tue, 2008-06-10 at 10:10 -0700, Clarkson, Mike R (US SSA) wrote: > > > I'm writing a policy for a very large legacy CORBA application, with > > > many separate processes. Without fail, every one of our processes > > > requires execstack & execmem privileges. I would like to track down > the > > > cause, but I really don't have any idea how. Does anybody have any > good > > > recommendations? > > > > > > I'd like to at least be able to determine whether the offending code > is > > > ours or some vender's (like our CORBA vender), and if it is ours I'd > > > like to track down the source. I'm betting there is a common source > > > causing the issue. > > > > Resources: > > http://people.redhat.com/drepper/selinux-mem.html > > http://people.redhat.com/drepper/nonselsec.pdf > > I'll look at these. Thanks! > > > > Also, what does execstack -q show for the executables in question? > > I wasn't aware of the execstack cmd. This alone will help a lot. Thanks > again. > > > And are these programs: > > - multi-threaded?, > > - Java-based? > > Mostly C++ but a few Java. Nearly all are multi-threaded. Java is known to require execmem for runtime code generation. There is a java_t domain that you can look at as an example. I think they allow it execstack too, although I'm not as clear as to why that is necessary, possibly for the thread stack allocation. Thread stacks may be allocated with PROT_EXEC if the executable is marked as requiring an executable stack or if it lacks the marking; execstack should tell you the story there. If we can't give execmem w/o giving execstack too, then execstack isn't useful as a separate permission. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
