libaesni-intel-samba4.so and execstack flag
Andrew Bartlett
abartlet at samba.org
Mon Oct 30 16:08:29 UTC 2017
On Mon, 2017-10-30 at 14:40 +0100, Bjoern Baumbach via samba-technical
wrote:
> Hi all,
>
> I've detected a problem with the new libaesni-intel library. Running
> Samba with aesni support, SELinux denies loading the libaesni-intel
> library because of execstack permissions. It throws the following error
> message:
>
> cannot enable executable stack as shared object requires: Permission
> denied"
>
> SELinux logs something like:
>
> avc: denied { execstack } for comm="smbd"
>
> The execstack command tells me, that the execstack is set:
>
> execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
> X ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
>
> So I've linked the library again and set the noexecstack option
> (ADDITIONAL_LDFLAGS="-z noexecstack" ./configure.developer
> --accel-aes=intelaesni && make)
>
> Afterwards the flag is not set anymore:
> execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
> - ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
>
> The smbd is still running fine with accelerated aes encryption.
>
> I see this on my Gentoo with gcc version 4.9.4 and on a rhel7 test
> system, using gcc-Version 4.8.2.
Is this some auto-collected flag triggered by the use of assembler?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list