Quoting Jan Stancek (jstancek@xxxxxxxxxx): > glibc can apply extra memory protection to certain areas > (data sections) when using partial or full RELRO, > marking them as read-only using mprotect. > > If perl (or some bin_t utility in general) is built with > RELRO, ptrace test fails to execute 'wait', because of lack > of read permissions on /usr/bin/perl. > > read_files_pattern or can_exec should suffice here, but > let's match other testcases and allow to execute all helper > programs in general. > > Signed-off-by: Jan Stancek <jstancek@xxxxxxxxxx> thanks, applied. > --- > policy/redhat/5/test_ptrace.te | 9 +++++++++ > policy/test_ptrace.te | 9 +++++++++ > 2 files changed, 18 insertions(+), 0 deletions(-) > > diff --git a/policy/redhat/5/test_ptrace.te b/policy/redhat/5/test_ptrace.te > index 50e96fe..b514312 100644 > --- a/policy/redhat/5/test_ptrace.te > +++ b/policy/redhat/5/test_ptrace.te > @@ -36,3 +36,12 @@ allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld; > # via a program in the test directory. > miscfiles_domain_entry_test_files(ptracedomain) > userdom_sysadm_entry_spec_domtrans_to(ptracedomain) > + > +# Allow execution of helper programs. > +corecmd_exec_bin(ptracedomain) > +domain_exec_all_entry_files(ptracedomain) > +files_exec_etc_files(ptracedomain) > +libs_use_ld_so(ptracedomain) > +libs_use_shared_libs(ptracedomain) > +libs_exec_ld_so(ptracedomain) > +libs_exec_lib_files(ptracedomain) > diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te > index 41d474b..0ab9579 100644 > --- a/policy/test_ptrace.te > +++ b/policy/test_ptrace.te > @@ -39,3 +39,12 @@ allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld; > # via a program in the test directory. > miscfiles_domain_entry_test_files(ptracedomain) > userdom_sysadm_entry_spec_domtrans_to(ptracedomain) > + > +# Allow execution of helper programs. > +corecmd_exec_bin(ptracedomain) > +domain_exec_all_entry_files(ptracedomain) > +files_exec_etc_files(ptracedomain) > +libs_use_ld_so(ptracedomain) > +libs_use_shared_libs(ptracedomain) > +libs_exec_ld_so(ptracedomain) > +libs_exec_lib_files(ptracedomain) > -- > 1.7.1 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
