libaesni-intel-samba4.so and execstack flag

Bjoern Baumbach bb at sernet.de
Mon Oct 30 13:40:37 UTC 2017


Hi all,

I've detected a problem with the new libaesni-intel library. Running
Samba with aesni support, SELinux denies loading the libaesni-intel
library because of execstack permissions. It throws the following error
message:

  cannot enable executable stack as shared object requires: Permission
denied"

SELinux logs something like:

  avc:  denied  { execstack } for comm="smbd"

The execstack command tells me, that the execstack is set:

execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
X ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so

So I've linked the library again and set the noexecstack option
(ADDITIONAL_LDFLAGS="-z noexecstack" ./configure.developer
--accel-aes=intelaesni && make)

Afterwards the flag is not set anymore:
execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
- ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so

The smbd is still running fine with accelerated aes encryption.

I see this on my Gentoo with gcc version 4.9.4 and on a rhel7 test
system, using gcc-Version 4.8.2.

Best regards,
Björn

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de



More information about the samba-technical mailing list