SELinux execstack permission 


March 04, 2011 12:11:33    Last update: April 13, 2011 13:55:13
By default SELinux blocks execstack permission. According to Ulrich Drepper:

"As the name suggests, this error is raised if a program tries to make its stack (or parts thereof) executable with an mprotect call. This should never, ever be necessary. Stack memory is not executable on most OSes these days and this won't change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code."

You can check if a library/application requires execstack by using the execstack utility:
execstack -q PATHTOPROGRAM

You can try to clean the flag and see if the application still runs:
execstack -c PATHTOPROGRAM

To allow execstack for cc1:
# grep cc1 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Share |
| Comment  | Tags