Hi, On 10/22/07, Andy Polyakov via RT <[EMAIL PROTECTED]> wrote:
> > avc: denied { execmod } for pid=1875 comm="ntpdate" \
> > path="/usr/lib/i686/cmov/libcrypto.so.0.9.8" dev=sda8 ino=325290 \
> > scontext=system_u:system_r:initrc_t:s0 \
> > tcontext=system_u:object_r:lib_t:s0 tclass=file
>
> How do you map this message to "still contain text relocations"?
Well, I don't have access to the box right now, but running
eu-findtextrel (http://people.redhat.com/drepper/textrelocs.html)
on the optimized .so files indicates that some object files contain
such relocations
> Looking at the build system, it seems the culprits are the following
> > files:
> >
> > crypto/x86cpuid-elf.s
> > crypto/des/dx86-elf.s
> > crypto/aes/ax86-elf.s
> > crypto/bf/bx86-elf.s
>
> Well, these .o files can contain relocations, but they get resolved and
> *disappear* when libcrypto.so is linked. If you want confirmation that
> they disappear run 'readelf -r libcrypto.so' and verify that no
> relocations are accounted to .text segment [you'd have to run 'readelf
> -e libcrypto.so' to find where .text is located].
>
> The problem is more likely to be that OpenSSL assembler modules don't
> have special comment that marks stack segment non-executable. It's
> tricky to figure out when this is allowed, so if so required we
> recommend to configure with -Wa,--noexecstack option instead. A.
As mentioned, I don't have access to the box or the build log right
now, but I think -Wa,--noexecstack was indeed specified in configure,
and I think the generated .so do in fact contain text relocs. I will
check this manually (readelf -r) tonight and post the relevant info
Simon
Hi,On 10/22/07, Andy Polyakov via RT <[EMAIL PROTECTED]> wrote:
Well, I don't have access to the box right now, but running
eu-findtextrel ( http://people.redhat.com/drepper/textrelocs.html)
on the optimized .so files indicates that some object files contain
such relocations
As mentioned, I don't have access to the box or the build log right
now, but I think -Wa,--noexecstack was indeed specified in configure,
and I think the generated .so do in fact contain text relocs. I will
check this manually (readelf -r) tonight and post the relevant info
> avc: denied { execmod } for pid=1875 comm="ntpdate" \
> path="/usr/lib/i686/cmov/libcrypto.so.0.9.8" dev=sda8 ino=325290 \
> scontext=system_u:system_r:initrc_t:s0 \
> tcontext=system_u:object_r:lib_t:s0 tclass=file
How do you map this message to "still contain text relocations"?
Well, I don't have access to the box right now, but running
eu-findtextrel ( http://people.redhat.com/drepper/textrelocs.html)
on the optimized .so files indicates that some object files contain
such relocations
> Looking at the build system, it seems the culprits are the following
> files:
>
> crypto/x86cpuid-elf.s
> crypto/des/dx86-elf.s
> crypto/aes/ax86-elf.s
> crypto/bf/bx86-elf.s
Well, these .o files can contain relocations, but they get resolved and
*disappear* when libcrypto.so is linked. If you want confirmation that
they disappear run 'readelf -r libcrypto.so' and verify that no
relocations are accounted to .text segment [you'd have to run 'readelf
-e libcrypto.so' to find where .text is located].
The problem is more likely to be that OpenSSL assembler modules don't
have special comment that marks stack segment non-executable. It's
tricky to figure out when this is allowed, so if so required we
recommend to configure with -Wa,--noexecstack option instead. A.
As mentioned, I don't have access to the box or the build log right
now, but I think -Wa,--noexecstack was indeed specified in configure,
and I think the generated .so do in fact contain text relocs. I will
check this manually (readelf -r) tonight and post the relevant info
Simon
