Problem with SELinux

Daniel J Walsh dwalsh at redhat.com
Tue Nov 23 14:30:32 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/23/2010 09:28 AM, Paul Smith wrote:
> On Tue, Nov 23, 2010 at 2:22 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>> I am experiencing the following problem with SELinux on F14:
>>>>
>>>> Nov 23 12:49:33 localhost kernel: [ 4881.260409] type=1400
>>>> audit(1290516573.348:31748): avc:  denied  { execstack } for
>>>> pid=14597 comm="myprogram"
>>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>> tclass=process
>>>>
>>>> How can I circumvent that?
>>>
>>> The application is trying to execute code on its stack - which usually
>>> means it is either buggy or being exploited.
>>>
>>> What is "myprogram" ?
>> Stop running bad programs.  :*
>>
>> If the app is written using a tool like java/mono or something like
>> this, it may be required.
>>
>> You have two choices you can either label it execmem_exec_t.
>>
>> # semanage fcontext -a -t execmem_exec_t PATHTOMYPROGRAM
>> # restorecon PATHTOMYPROGRAM
>>
>> Or you can turn the check off altogether by executing
>>
>> # setsebool -P allow_execstack 1
> 
> Thanks, Daniel. Let me add some more information:
> 
> /home/psmith/programs/myprogram: error while loading shared libraries:
> /home/psmith/gurobi400/linux64/lib/libgurobi.so.4.0.0: cannot enable
> executable stack as shared object requires: Permission denied
> 
> Paul
What does this show?

execstack -q /home/psmith/gurobi400/linux64/lib/libgurobi.so.4.0.0

If the output starts with an X, try to remove this.

execstack -c /home/psmith/gurobi400/linux64/lib/libgurobi.so.4.0.0

Does your app run now?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzr0AgACgkQrlYvE4MpobNaiwCcD6covwOU5Rnr7yq2RBIxyxpK
/8YAoIl4OTf51XE463whz8WXFj2/Y40M
=ZVNe
-----END PGP SIGNATURE-----


More information about the users mailing list