On Mon, Oct 22, 2007 at 12:07:30PM +0200, Simon Vallet via RT wrote: > Hi, > > On 10/22/07, Andy Polyakov via RT <[EMAIL PROTECTED]> wrote: > > > > avc: denied { execmod } for pid=1875 comm="ntpdate" \ > > > path="/usr/lib/i686/cmov/libcrypto.so.0.9.8" dev=sda8 ino=325290 \ > > > scontext=system_u:system_r:initrc_t:s0 \ > > > tcontext=system_u:object_r:lib_t:s0 tclass=file > > > > How do you map this message to "still contain text relocations"? > > > Well, I don't have access to the box right now, but running > eu-findtextrel (http://people.redhat.com/drepper/textrelocs.html) > on the optimized .so files indicates that some object files contain > such relocations
On a Debian system, I see: objdump -p /usr/lib/i686/cmov/libcrypto.so.0.9.8 |grep TEXTREL TEXTREL 0x0 $ eu-findtextrel /usr/lib/i686/cmov/libcrypto.so.0.9.8 either the file containing the function '_init' or the file containing the function 'CRYPTO_num_locks' is not compiled with -fpic/-fPIC the file containing the function 'DES_encrypt3' is not compiled with -fpic/-fPICthe file containing the function 'DES_decrypt3' is not compiled with -fpic/-fPICthe file containing the function 'DES_ncbc_encrypt' is not compiled with -fpic/-fPIC the file containing the function 'DES_ede3_cbc_encrypt' is not compiled with -fpic/-fPIC the file containing the function 'AES_encrypt' is not compiled with -fpic/-fPIC the file containing the function 'AES_cbc_encrypt' is not compiled with -fpic/-fPIC the file containing the function 'AES_decrypt' is not compiled with -fpic/-fPIC the file containing the function 'AES_set_decrypt_key' is not compiled with -fpic/-fPIC the file containing the function 'BF_cbc_encrypt' is not compiled with -fpic/-fPIC $ eu-findtextrel /usr/lib/i686/cmov/libssl.so.0.9.8 eu-findtextrel: no text relocations reported in '/usr/lib/i686/cmov/libssl.so.0.9.8' All files were build using -fPIC and -Wa,--noexecstack The 486, 586 and 686 version all have the text relocations, the 386 (that doesn't use any assembler) doesn't have it. A full build log is available on: http://buildd.debian.org/fetch.cgi?pkg=openssl;ver=0.9.8g-1;arch=i386;stamp=1192885956 > > Looking at the build system, it seems the culprits are the following > > > files: > > > > > > crypto/x86cpuid-elf.s > > > crypto/des/dx86-elf.s > > > crypto/aes/ax86-elf.s > > > crypto/bf/bx86-elf.s > > > > Well, these .o files can contain relocations, but they get resolved and > > *disappear* when libcrypto.so is linked. If you want confirmation that > > they disappear run 'readelf -r libcrypto.so' and verify that no > > relocations are accounted to .text segment [you'd have to run 'readelf > > -e libcrypto.so' to find where .text is located]. Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [...] [12] .text PROGBITS 00045a40 045a40 0ce574 00 AX 0 0 64 [13] .fini PROGBITS 00113fb4 113fb4 00001c 00 AX 0 0 4 So .text goes from 0x00045a40 to 0x00113fb3 Relocation section '.rel.dyn' at offset 0x29ca8 contains 9054 entries: Offset Info Type Sym.Value Sym. Name [...] 0006360c 000ce102 R_386_PC32 000626f0 DES_encrypt2 00063620 000ce102 R_386_PC32 000626f0 DES_encrypt2 00063634 000ce102 R_386_PC32 000626f0 DES_encrypt2 0006373c 000ce102 R_386_PC32 000626f0 DES_encrypt2 00063750 000ce102 R_386_PC32 000626f0 DES_encrypt2 00063764 000ce102 R_386_PC32 000626f0 DES_encrypt2 00063832 000cde02 R_386_PC32 000617c0 DES_encrypt1 0006389a 000cde02 R_386_PC32 000617c0 DES_encrypt1 000638cb 000cde02 R_386_PC32 000617c0 DES_encrypt1 00063917 000cde02 R_386_PC32 000617c0 DES_encrypt1 00063a1b 000ce302 R_386_PC32 00063580 DES_encrypt3 00063a83 000ce302 R_386_PC32 00063580 DES_encrypt3 00063abb 0009da02 R_386_PC32 000636b0 DES_decrypt3 00063b07 0009da02 R_386_PC32 000636b0 DES_decrypt3 00068973 000a8902 R_386_PC32 00067ec0 _x86_AES_encrypt 000696a6 000a8902 R_386_PC32 00067ec0 _x86_AES_encrypt 00069557 00021902 R_386_PC32 00068990 _x86_AES_decrypt 00069854 00021902 R_386_PC32 00068990 _x86_AES_decrypt 00069903 00021902 R_386_PC32 00068990 _x86_AES_decrypt 00069c7b 00090102 R_386_PC32 000699b0 AES_set_encrypt_key 0006be95 00018402 R_386_PC32 0006b600 BF_encrypt 0006bf05 00018402 R_386_PC32 0006b600 BF_encrypt 0006bf3f 000c3e02 R_386_PC32 0006ba20 BF_decrypt 0006bf93 000c3e02 R_386_PC32 0006ba20 BF_decrypt There is also an: 0003ed81 00057d02 R_386_PC32 00045d40 OPENSSL_cpuid_setup Which is in section .init Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]