Re: GCL

["Jerry James" <loganjerry gmail com>]

On Mon, Nov 24, 2008 at 8:14 AM, Daniel J Walsh <dwalsh redhat com> wrote:
> Ok, is the GCL package available in Fedora?  This probably should be
> opened as a bugzilla.  If gcl really needs execheap, we need to create a
> new policy for it, since execmem_exec_t apps currently do not get this
> and I really don't want to give them this.  I guess I would like to hear
> Ulrich Drepper chime in on this need.

The GCL package has been in Fedora since 2005, but has not built
successfully for months.  I recently took over as maintainer and am
trying to get it into a buildable state again.  I've fixed the other
problems; this seems to be the final blocker.

If I make the saved images have type execmem_exec_t, then the build
produces the "early" image successfully.  When that image runs and
tries to load up a bunch of Lisp files to produce the final image,
SELinux kills it with an AVC denial that mentions execheap.  I
mentioned on fedora-devel-list that making the saved images have type
java_exec_t produces a successful build.  If you can tell me how to
test with exactly execmem + execheap privileges, then I can make sure
there is nothing else in the java_exec_t set that GCL needs.
Otherwise, we may have to go through multiple iterations of "no wait,
GCL needs one more permission".

Do I need to audit the source code to discover the reason for the
execheap need?  I can guess; it's probably (eval form) that needs it,
but I don't know that for sure.

Say the word and I'll make a bugzilla entry for this.  Thanks for your help.
-- 
Jerry James
http://loganjerry.googlepages.com/