libaesni-intel-samba4.so and execstack flag
Bjoern Baumbach
bb at sernet.de
Mon Oct 30 13:40:37 UTC 2017
Hi all,
I've detected a problem with the new libaesni-intel library. Running
Samba with aesni support, SELinux denies loading the libaesni-intel
library because of execstack permissions. It throws the following error
message:
cannot enable executable stack as shared object requires: Permission
denied"
SELinux logs something like:
avc: denied { execstack } for comm="smbd"
The execstack command tells me, that the execstack is set:
execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
X ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
So I've linked the library again and set the noexecstack option
(ADDITIONAL_LDFLAGS="-z noexecstack" ./configure.developer
--accel-aes=intelaesni && make)
Afterwards the flag is not set anymore:
execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
- ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
The smbd is still running fine with accelerated aes encryption.
I see this on my Gentoo with gcc version 4.9.4 and on a rhel7 test
system, using gcc-Version 4.8.2.
Best regards,
Björn
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list