-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jerry James wrote:
On Mon, Nov 24, 2008 at 8:14 AM, Daniel J Walsh
<dwalsh(a)redhat.com> wrote:
> Ok, is the GCL package available in Fedora? This probably should be
> opened as a bugzilla. If gcl really needs execheap, we need to create a
> new policy for it, since execmem_exec_t apps currently do not get this
> and I really don't want to give them this. I guess I would like to hear
> Ulrich Drepper chime in on this need.
The GCL package has been in Fedora since 2005, but has not built
successfully for months. I recently took over as maintainer and am
trying to get it into a buildable state again. I've fixed the other
problems; this seems to be the final blocker.
If I make the saved images have type execmem_exec_t, then the build
produces the "early" image successfully. When that image runs and
tries to load up a bunch of Lisp files to produce the final image,
SELinux kills it with an AVC denial that mentions execheap. I
mentioned on fedora-devel-list that making the saved images have type
java_exec_t produces a successful build. If you can tell me how to
test with exactly execmem + execheap privileges, then I can make sure
there is nothing else in the java_exec_t set that GCL needs.
Otherwise, we may have to go through multiple iterations of "no wait,
GCL needs one more permission".
Do I need to audit the source code to discover the reason for the
execheap need? I can guess; it's probably (eval form) that needs it,
but I don't know that for sure.
Say the word and I'll make a bugzilla entry for this. Thanks for your help.
Yes, please open a bugzilla.
We can make a duplicate policy for GCL to java, with execheap. But we
need to track this via bugzilla.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkkqy44ACgkQrlYvE4MpobNJrQCfSR9kDnPc9i8mUy94mOZtJ+th
nTcAniypT1D+gpNMV3x8F8onG1wUKn66
=UnCw
-----END PGP SIGNATURE-----