SELinux execstack permission 

Joined:
04/07/2009
Posts:
170

March 04, 2011 12:11:33    Last update: April 13, 2011 13:55:13
By default SELinux blocks execstack permission. According to Ulrich Drepper:

"As the name suggests, this error is raised if a program tries to make its stack (or parts thereof) executable with an mprotect call. This should never, ever be necessary. Stack memory is not executable on most OSes these days and this won't change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code."

You can check if a library/application requires execstack by using the execstack utility:
execstack -q PATHTOPROGRAM


You can try to clean the flag and see if the application still runs:
execstack -c PATHTOPROGRAM


To allow execstack for cc1:
# grep cc1 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Share |
| Comment  | Tags