On Tue, Jun 10, 2008 at 1:49 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > Java is known to require execmem for runtime code generation. There is > a java_t domain that you can look at as an example. I think they allow > it execstack too, although I'm not as clear as to why that is necessary, > possibly for the thread stack allocation. > > Thread stacks may be allocated with PROT_EXEC if the executable is > marked as requiring an executable stack or if it lacks the marking; > execstack should tell you the story there. > > If we can't give execmem w/o giving execstack too, then execstack isn't > useful as a separate permission. As I recall, which is always a dangerous thing for me todo, execstack needs execmem for multithreaded processes because the 'stack' of the second thread is just 'memory' from the point of view of the permission checks. execmem does not need execstack..... java probably actually uses an executable stack which is why it needs both..... -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
