Le 08/03/17 à 05:14, Russell Coker a écrit :
There have been some recent binary NMUs for Stretch to support PIE on i386.
One very important one is gzip. PIE on i386 needs execmod access and given
the number of domains calling gzip and other programs that means allow_execmod
is almost mandatory for i386.
We need to have this happen by default. Which package should we modify to do
a "setsebool -P allow_execmod 1" on i386?
Well it's in the policy package where the boolean is defined (see the
gen_tunable() function, the 2nd parameter is the default)
I don' t know if we want to have differences in between the architectures.
Is this limited to as subset of libraries? Then maybe the lib could be
labeled as textrel_shlib_t ?
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
