SELinux execstack permission
March 04, 2011 12:11:33 Last update: April 13, 2011 13:55:13
By default SELinux blocks
"As the name suggests, this error is raised if a program tries to make its stack (or parts thereof) executable with an mprotect call. This should never, ever be necessary. Stack memory is not executable on most OSes these days and this won't change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code."
You can check if a library/application requires execstack by using the execstack utility:
You can try to clean the flag and see if the application still runs:
To allow execstack for
execstack permission. According to Ulrich Drepper:
"As the name suggests, this error is raised if a program tries to make its stack (or parts thereof) executable with an mprotect call. This should never, ever be necessary. Stack memory is not executable on most OSes these days and this won't change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code."
You can check if a library/application requires execstack by using the execstack utility:
execstack -q PATHTOPROGRAM
You can try to clean the flag and see if the application still runs:
execstack -c PATHTOPROGRAM
To allow execstack for
cc1:
# grep cc1 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
