and execstack flag

Bjoern Baumbach bb at
Mon Oct 30 13:40:37 UTC 2017

Hi all,

I've detected a problem with the new libaesni-intel library. Running
Samba with aesni support, SELinux denies loading the libaesni-intel
library because of execstack permissions. It throws the following error

  cannot enable executable stack as shared object requires: Permission

SELinux logs something like:

  avc:  denied  { execstack } for comm="smbd"

The execstack command tells me, that the execstack is set:

execstack -q ./bin/default/third_party/aesni-intel/
X ./bin/default/third_party/aesni-intel/

So I've linked the library again and set the noexecstack option
(ADDITIONAL_LDFLAGS="-z noexecstack" ./configure.developer
--accel-aes=intelaesni && make)

Afterwards the flag is not set anymore:
execstack -q ./bin/default/third_party/aesni-intel/
- ./bin/default/third_party/aesni-intel/

The smbd is still running fine with accelerated aes encryption.

I see this on my Gentoo with gcc version 4.9.4 and on a rhel7 test
system, using gcc-Version 4.8.2.

Best regards,

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list