[Haskell-cafe] GHC 6.6.1 and SELinux issues
Bryan O'Sullivan
bos at serpentine.com
Wed Aug 29 11:41:12 EDT 2007
Alexander Vodomerov wrote:
> I've put GHC in unconfined_execmem_t and it started to work fine. But
> the problem is not in GHC -- it is in programs compiled by GHC. They
> also require exec/write memory. Only root can grant unconfined_execmem
> privileges, so simple user can not run binaries compiled by GHC. How do
> you solve this problem?
Running "chcon -t unconfined_execmem_exec_t" as root will let you run
the binaries, which you probably already knew.
The underlying problem is harder to fix: the default SELinux policy
doesn't allow PROT_EXEC pages to be mapped with PROT_WRITE, for obvious
reasons. The solution is expensive in terms of address space and TLB
entries: map the same pages twice, once only with PROT_EXEC, and once
only with PROT_WRITE.
There's already a Trac ticket filed against this problem, but Simon
Marlow marked it as closed because he couldn't test the code he wrote to
try to fix it, and nobody stepped in to help out at the time:
http://hackage.haskell.org/trac/ghc/ticket/738
<b
More information about the Haskell-Cafe
mailing list