libaesni-intel-samba4.so and execstack flag
Jeremy Allison
jra at samba.org
Mon Oct 30 16:00:32 UTC 2017
On Mon, Oct 30, 2017 at 02:40:37PM +0100, Bjoern Baumbach via samba-technical wrote:
> Hi all,
>
> I've detected a problem with the new libaesni-intel library. Running
> Samba with aesni support, SELinux denies loading the libaesni-intel
> library because of execstack permissions. It throws the following error
> message:
>
> cannot enable executable stack as shared object requires: Permission
> denied"
>
> SELinux logs something like:
>
> avc: denied { execstack } for comm="smbd"
>
> The execstack command tells me, that the execstack is set:
>
> execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
> X ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
>
> So I've linked the library again and set the noexecstack option
> (ADDITIONAL_LDFLAGS="-z noexecstack" ./configure.developer
> --accel-aes=intelaesni && make)
>
> Afterwards the flag is not set anymore:
> execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
> - ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
>
> The smbd is still running fine with accelerated aes encryption.
>
> I see this on my Gentoo with gcc version 4.9.4 and on a rhel7 test
> system, using gcc-Version 4.8.2.
Hmmm. Can you figure out how to add this to the wscript build
so we can add this as a patch ?
More information about the samba-technical
mailing list