On Mon, 12 Jul 2010, Eric Paris <eparis@xxxxxxxxxxxxxx> wrote: > > I have some plans to make the JIT work without RWX, since ClamAV has 2 > > phases: > > - load DB, JIT compile bytecode (should use only RW- mapping, but > > currently needs RWX) > > - execute (JIT compiled) bytecode (should change mapping to be R-X) > > Just so you know that is going to require the same permissions. > (Hopefully) The only way to get around the SELinux permissions is to > have 2 separate mappings. Basically in really really rough sudo-code, According to the comments the code will fall-back to interpreting the data if WRITE/EXEC is denied. Now given that freshclam doesn't do any serious work with the data, is interpreting it going to cause any problem that we will care about? If we are talking about 1 hour of CPU time vs 2 hours for jit vs interpreted for run- time stuff then it makes a difference, but if we are talking about 1 second vs 2 seconds for freshclam then maybe there's not much point. -- russell@xxxxxxxxxxxx http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
