GCL
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 24 15:14:41 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jerry James wrote:
> Once upon a time on fedora-devel-list, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> +/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
>>
>>
>> Will be in selinux-policy-3.5.13-19.fc10
>
> I've done some experimenting, and I think I need a couple of
> modifications to this. First, it turns out that GCL needs both
> execmem and execheap permissions. Do I need to create a gcl_exec_t
> type to combine those?
>
> Second, /usr/bin/gcl is just a shell script. It does an exec of
> /usr/lib/gcl-%{version}/unixport/saved_ansi_gcl, which is the saved
> Lisp image, along with appropriate command line options. I don't
> expect permissions to persist across an exec (but tell me if I'm
> wrong), so I think I need the policy to mention the saved image
> instead of /usr/bin/gcl. There are some problems associated with
> this:
>
Ok, is the GCL package available in Fedora? This probably should be
opened as a bugzilla. If gcl really needs execheap, we need to create a
new policy for it, since execmem_exec_t apps currently do not get this
and I really don't want to give them this. I guess I would like to hear
Ulrich Drepper chime in on this need.
> 1) The /usr/lib prefix is used on both 32-bit and 64-bit platforms,
> which is bad. I'll see if I can get that fixed, but it appears to
> require some code changes (i.e., not just makefile changes).
>
> 2) The GCL build process can produce multiple image files, with
> various combinations of options (such as profiling, ANSI vs. CLtL1
> support, a GUI, etc.). Fedora has only ever shipped one image, but I
> can see an argument for producing a profiling version of the standard
> image and making /usr/bin/gcl choose between them based on command
> line arguments. In any case, all of the image names start with
> "saved_".
>
> The upshot of all this is that, to make the policy future-proof, I
> really need the execmem + execheap permissions for all files that
> match this pattern:
>
> /usr/lib*/gcl-*/unixport/saved_*
>
> Is that okay? If so, how do I proceed? Thanks for helping out an
> SELinux newbie.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkqxOEACgkQrlYvE4MpobNPpwCeN96Zuin+Y8uNkq/Ge4baPSaq
hf8An2mUwKqFGTC98SHpiyqWeUNWOk30
=kRad
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list