Re: Re: [GHC] #738: ghc can't load files with selinux Enforcing

On 2006-04-04 at 10:03-0000 GHC wrote:
> #738: ghc can't load files with selinux Enforcing
> -----------------------------------------+----------------------------------
>   Reporter:  jon.fairbairn@xxxxxxxxxxxx  |          Owner:                
>       Type:  bug                         |         Status:  new           
>   Priority:  normal                      |      Milestone:                
>  Component:  Runtime System              |        Version:  6.4.1         
>   Severity:  major                       |     Resolution:                
>   Keywords:                              |             Os:  Linux         
> Difficulty:  Unknown                     |   Architecture:  x86_64 (amd64)
> -----------------------------------------+----------------------------------
> Changes (by simonmar):
> 
>   * component:  Compiler => Runtime System
> 
> Comment:
> 
>  Is this at all related to #703?

No idea.

>  I have no idea what SELinux "enforcing" mode does. 

It enforces the policies... I think permissive mode just
logs things, but enforcing mode actually stops them.


> It looks like SELinux doesn't like us using mprotect() to
> make dynamically-allocated memory executable.  This is
> required for things like 'foreign import "wrapper"',
> because we have to generate dynamic code.

The audit log entry in Enforcing mode is this:

type=AVC msg=audit(1144148747.937:6073): avc:  denied  { execheap } for  
pid=18253 comm="ghc-6.4.1" scontext=user_u:system_r:unconfined_t:s0 
tcontext=user_u:system_r:unconfined_t:s0 tclass=process

whereas in Permissive mode I find this:

type=AVC msg=audit(1144148449.336:5974): avc:  denied  { execheap } for  
pid=18056 comm="ghc-6.4.1" scontext=user_u:system_r:unconfined_t:s0 
tcontext=user_u:system_r:unconfined_t:s0 tclass=process

ie the same, except that ghci loads the file OK.

>  Can anyone shed any more light here?

Not much; I can't say I understand SELinux, but I think the
answer is probably in here:

http://people.redhat.com/drepper/selinux-mem.html

>  It's possible we could mmap() instead, I suppose.

It looks like you have to do that, and even so will need to
take steps to avaid getting an execmem denial.

-- 
Jón Fairbairn                              Jon.Fairbairn at cl.cam.ac.uk